External locking mechanism for personal computer memory locations

ABSTRACT

A method and system for providing an external locking mechanism for memory locations. The memory includes a first plurality of storage locations configured with BIOS data and a second plurality of storage locations. The second plurality of storage locations includes a first plurality of blocks readable only in SMM and a second plurality of blocks readable in SMM and at least one operating mode other than SMM. The computer system includes a bus, a memory coupled to the bus, and a device coupled to access the memory over the bus. The memory includes a plurality of storage locations, divided into a plurality of memory units. The device includes one or more locks configured to control access to one or more of the plurality of memory units.

[0001] This Application is a continuation-in-part of co-pending U.S.patent application Ser. No. 09/853,395, entitled, “Enhanced Security andManageability using Secure Storage in a Personal Computer System,” filedon May 11, 2001, whose inventors are Geoffrey S. Strongin and Dale E.Gulick. This Application is also a continuation-in-part of co-pendingU.S. patent application Ser. No. 09/853,446, entitled, “ResourceSequester Mechanism,” filed on May 11, 2001, whose inventor is and DaleE. Gulick. This Application is also a continuation-in-part of co-pendingU.S. patent application Ser. No. 09/853,447, entitled, “IntegratedCircuit for Security and Manageability,” filed on May 11, 2001, whoseinventors are Dale E. Gulick and Geoffrey S. Strongin. This Applicationis also a continuation-in-part of co-pending U.S. patent applicationSer. No. 09/853,225, entitled, “System Management Mode Duration andManagement,” filed on May 11, 2001, whose inventors are Geoffrey S.Strongin and Dale E. Gulick. This Application is also acontinuation-in-part of co-pending U.S. patent application Ser. No.09/853,226, entitled, “Mechanism for Closing Back Door Access Mechanismsin Personal Computer Systems,” filed on May 11, 2001, whose inventor isGeoffrey S. Strongin. This Application is also a continuation-in-part ofco-pending U.S. patent application Ser. No. 09/854,040, entitled,“Cryptographic Randomness Register for Computer System Security,” filedon May 11, 2001, whose inventor is Dale E. Gulick. This Application isalso a continuation-in-part of co-pending U.S. patent application Ser.No. 09/853,465, entitled, “Cryptographic Command-Response Access to aMemory in a Personal Computer System,” filed on May 11, 2001, whoseinventor is Geoffrey S. Strongin. This Application is also acontinuation-in-part of co-pending U.S. patent application Ser. No.09/853,443, entitled, “Protection Mechanism for Biometric Input Data,”filed on May 11, 2001, whose inventors are Dale E. Gulick and GeoffreyS. Strongin. This Application is also a continuation-in-part ofco-pending U.S. patent application Ser. No. 09/853,437, entitled,“Personal Computer Security Mechanism,” filed on May 11, 2001, whoseinventors are Geoffrey S. Strongin and Dale E. Gulick. This Applicationis also a continuation-in-part of co-pending U.S. patent applicationSer. No. 09/853,335, entitled, “Asset Sharing between Host Processor andSecurity Hardware,” filed on May 11, 2001, whose inventors are GeoffreyS. Strongin and Dale E. Gulick. This Application is also acontinuation-in-part of co-pending U.S. patent application Ser. No.09/853,234, entitled, “Interruptable and Re-enterable System ManagementMode Programming Code,” filed on May 11, 2001, whose inventors areGeoffrey S. Strongin and Dale E. Gulick. This Application is alsocontinuation-in-part, as are each of the above filed on May 11, 2001, ofco-pending U.S. patent application Ser. No. 09/852,372, entitled,“Secure Execution Box and Method,” filed on May 10, 2001, whoseinventors are Dale E. Gulick and Geoffrey S. Strongin. This Applicationis also a continuation-in-part, as are each of the above filed on May11, 2001, of co-pending U.S. patent application Ser. No. 09/852,942,entitled, “Computer System Architecture for Enhanced Security andManageability,” filed on May 10, 2001, whose inventors are Geoffrey S.Strongin and Dale E. Gulick.

BACKGROUND OF THE INVENTION

[0002] 1. Field of the Invention

[0003] This invention relates generally to computing systems, and, moreparticularly, to an external locking mechanism for controlling access tomemory locations, e.g. the ROM BIOS, in a personal computer system.

[0004] 2. Description of the Related Art

[0005]FIG. 1A illustrates an exemplary computer system 100. The computersystem 100 includes a processor 102, a north bridge 104, memory 106,Advanced Graphics Port (AGP) memory 108, a Peripheral ComponentInterconnect (PCI) bus 110, a south bridge 112, a battery, an ATAttachment (ATA) interface 114 (more commonly known as an IntegratedDrive Electronics (IDE) interface), a universal serial bus (USB)interface 116, a Low Pin Count (LPC) bus 118, an input/output controllerchip (SuperI/O™) 120, and BIOS memory 122. It is noted that the northbridge 104 and the south bridge 112 may include only a single chip or aplurality of chips, leading to the collective term “chipset.” It is alsonoted that other buses, devices, and/or subsystems may be included inthe computer system 100 as desired, e.g. caches, modems, parallel orserial interfaces, SCSI interfaces, network interface cards, etc.[“SuperI/O” is a trademark of National Semiconductor Corporation ofSanta Clara, Calif.]

[0006] The processor 102 is coupled to the north bridge 104. The northbridge 104 provides an interface between the processor 102, the memory106, the AGP memory 108, and the PCI bus 110. The south bridge 112provides an interface between the PCI bus 110 and the peripherals,devices, and subsystems coupled to the IDE interface 114, the USBinterface 116, and the LPC bus 118. The battery 113 is shown coupled tothe south bridge 112. The Super I/O™ chip 120 is coupled to the LPC bus118.

[0007] The north bridge 104 provides communications access betweenand/or among the processor 102, memory 106, the AGP memory 108, devicescoupled to the PCI bus 110, and devices and subsystems coupled to thesouth bridge 112. Typically, removable peripheral devices are insertedinto PCI “slots” (not shown) that connect to the PCI bus 110 to coupleto the computer system 100. Alternatively, devices located on amotherboard may be directly connected to the PCI bus 110.

[0008] The south bridge 112 provides an interface between the PCI bus110 and various devices and subsystems, such as a modem, a printer,keyboard, mouse, etc., which are generally coupled to the computersystem 100 through the LPC bus 118 (or its predecessors, such as anX-bus or an ISA bus). The south bridge 112 includes the logic used tointerface the devices to the rest of computer system 100 through the IDEinterface 114, the USB interface 116, and the LPC bus 118.

[0009]FIG. 1B illustrates certain aspects of the prior art south bridge112, including those provided reserve power by the battery 113,so-called “being inside the RTC battery well” 125. The south bridge 112includes south bridge (SB) RAM 126 and a clock circuit 128, both insidethe RTC battery well 125. The SB RAM 126 includes CMOS RAM 126A and RTCRAM 126B. The RTC RAM 126B includes clock data 129 and checksum data127. The south bridge 112 also includes, outside the RTC battery well125, a CPU interface 132, power and system management units 133, PCI businterface logic 134A, USB interface logic 134C, IDE interface logic134B, and LPC bus interface logic 134D.

[0010] Time and date data from the clock circuit 128 are stored as theclock data 129 in the RTC RAM 126B. The checksum data 127 in the RTC RAM126B may be calculated based on the CMOS RAM 126A data and stored byBIOS during the boot process, such as is described below, e.g. block148, with respect to FIG. 2A. The CPU interface 132 may includeinterrupt signal controllers and processor signal controllers. The powerand system management units 133 may include an ACPI (AdvancedConfiguration and Power Interface) controller.

[0011] From a hardware point of view, an x86 operating environmentprovides little for protecting user privacy, providing security forcorporate secrets and assets, or protecting the ownership rights ofcontent providers. All of these goals, privacy, security, and ownership(collectively, PSO) are becoming critical in an age ofInternet-connected computers. The original personal computers were notdesigned in anticipation of PSO needs.

[0012] From a software point of view, the x86 operating environment isequally poor for PSO. The ease of direct access to the hardware throughsoftware or simply by opening the cover of the personal computer allowsan intruder or thief to compromise most security software and devices.The personal computer's exemplary ease of use only adds to the problemsfor PSO.

SUMMARY OF THE INVENTION

[0013] In one aspect of the present invention, a computer system isprovided. The computer system includes a bus, a memory coupled to thebus, and a device coupled to access the memory over the bus. The memoryincludes a plurality of storage locations, divided into a plurality ofmemory units. The device includes one or more locks configured tocontrol access to one or more of the plurality of memory units. Invarious embodiments, the locks may include a plurality of registers. Oneor more entries in one or more of the plurality of registers mayindicate an access control setting for one or more of the memory units.

[0014] In another aspect of the present invention, a memory is provided.The memory includes a first plurality of storage locations configuredwith BIOS data; and a second plurality of storage locations. The secondplurality of storage locations includes a first plurality of blocksreadable only in SMM and a second plurality of blocks readable in SMMand at least one operating mode other than SMM.

[0015] In still another aspect of the present invention, a method foroperating a computer system is provided. The method includes requestinga memory transaction for one or more memory addresses and determining alock status for the one or more memory addresses. The method alsoincludes returning the lock status for the one or more memory addressesand determining if the lock status for the one or more memory addressescan be changed if the lock status indicates that the memory transactionfor the one or more memory addresses is not allowed. The method alsoincludes changing the lock status of the one or more memory addresses toallow the memory transaction if the lock status of the one or morememory addresses can be changed.

[0016] In still another aspect of the present invention, another methodof operating a computer system is provided. This method includes issuinga request from a first device for a memory transaction for a memorylocation and receiving the request for the memory transaction at asecond device that does not include the memory location or a copy of thecontents of the memory location. This method also includes returning aresponse from the second device to the first device issuing the requestfor the memory transaction.

BRIEF DESCRIPTION OF THE DRAWINGS

[0017] The invention may be understood by reference to the followingdescription taken in conjunction with the accompanying drawings, inwhich like reference numerals identify similar elements, and in which:

[0018]FIG. 1A illustrates a block diagram of a prior art computersystem, while

[0019]FIG. 1B illustrates a block diagram of a prior art south bridge;

[0020]FIGS. 2A and 2B illustrate flowcharts of prior art methods foroperating a computer system using code stored in ROM;

[0021]FIG. 3 illustrates a flowchart of an embodiment of data andcommand flow in a computer system having a secure execution box,according to one aspect of the present invention;

[0022]FIG. 4 illustrates a block diagram of an embodiment of a computersystem including security hardware in the south bridge as well as acrypto-processor, according to one aspect of the present invention;

[0023]FIGS. 5A and 5B illustrate block diagrams of embodiments of asouth bridge including security hardware for controlling SMM, accordingto various aspect of the present invention;

[0024]FIG. 6 illustrates a block diagram of an embodiment of a southbridge including security hardware for secure SMM operations, accordingto one aspect of the present invention;

[0025]FIGS. 7A, 7B, 7C, and 7D illustrate embodiments of secure storage,according to various aspects of the present invention;

[0026]FIGS. 8A and 8B illustrate block diagrams of embodiments of a BIOSROM and an SMM ROM for secure SMM operations, respectively, according tovarious aspects of the present invention;

[0027]FIGS. 9A and 9B illustrate block diagrams of embodiments of acomputer system operable to control the timing and duration of SMMoperations, according to one aspect of the present invention;

[0028]FIG. 10A illustrates a flowchart of an embodiment of a method forforcing a processor out of SMM, according to one aspect of the presentinvention, while

[0029]FIG. 10B illustrates a flowchart of an embodiment of a method forreinitiating SMM upon the early termination of SMM, according to oneaspect of the present invention;

[0030]FIGS. 11A and 11B illustrate flowcharts of embodiments of methodsfor updating a monotonic counter stored in the SMM ROM, according tovarious aspects of the present invention;

[0031]FIGS. 12A and 12B illustrate flowcharts of embodiments of methodsfor updating a monotonic counter in the south bridge, according tovarious aspects of the present invention;

[0032]FIGS. 13A and 13B illustrate flowcharts of embodiments of a methodfor providing a monotonic value in a computer system, according to oneaspect of the present invention;

[0033]FIGS. 14A and 14B illustrate block diagrams of embodiments ofprocessors including random number generators using entropy registers,according to one aspect of the present invention;

[0034]FIG. 15 illustrates a block diagram of another embodiment of arandom number generator, according to one aspect of the presentinvention;

[0035]FIGS. 16A, 16B, 16C, 16D, 16E, 16F, and 16G illustrate flowchartsof embodiments of methods for accessing the security hardware, which maybe locked, according to various aspects of the present invention;

[0036]FIGS. 17A, 17B, and 17C illustrate block diagrams of embodimentsof the access locks 460 shown in FIG. 6, while

[0037]FIG. 17D illustrates a block diagram of an embodiment of theoverride register, all according to various aspects of the presentinvention;

[0038]FIG. 18A illustrates a prior art flowchart of an SMM program,while

[0039]FIG. 18B illustrates a flowchart of an embodiment of operation ofan interruptible and re-enterable SMM program, and

[0040]FIG. 18C illustrated a flowchart of an embodiment of operation ofa computer system running the interruptible and re-enterable SMMprogram, according to various aspects of the present invention;

[0041]FIGS. 19A, 19B, and 19C illustrate block diagrams of embodimentsof computer systems with the BIOS ROM accessible to the processor atboot time and to the south bridge at other times, according to variousaspects of the present invention;

[0042] FIGS. 20A-20D illustrate block diagrams of embodiments ofprocessors including lock registers and logic, according to variousaspects of the present invention;

[0043]FIG. 21 illustrates a flowchart of an embodiment of a method forinitiating HDT mode, according to one aspect of the present invention;

[0044]FIG. 22 illustrates a flowchart of an embodiment of a method forchanging the HDT enable status, according to one aspect of the presentinvention;

[0045]FIG. 23 illustrates a flowchart of an embodiment of a method forinitiating the microcode loader, according to one aspect of the presentinvention;

[0046]FIG. 24 illustrates a flowchart of an embodiment of a method forchanging the microcode loader enable status, according to one aspect ofthe present invention;

[0047]FIGS. 25A, 25B, 26, and 27 illustrate flowcharts of embodiments ofmethods for secure access to storage, according to various aspects ofthe present invention;

[0048]FIG. 28 illustrates a prior art challenge-response method forauthentication;

[0049]FIGS. 29A, 29B, 29C, 29D, and 29E illustrate embodiments ofcomputer devices or subsystems including GUIDs and/or a stored secretand/or a system GUID, according to various aspects of the presentinvention;

[0050]FIGS. 30A and 30B illustrate flowcharts of embodiments of methodsfor operating a computer system including a biometric device, such asthe biometric device shown in FIG. 29A, according to various aspects ofthe present invention;

[0051]FIGS. 31A, 31B, 32A, 32B, 32C, and 33 illustrate flowcharts ofembodiments of methods for authenticating a device in a computer system,such as computer systems including the computer subsystems of FIGS. 29A,29D, and 29E, according to various aspects of the present invention;

[0052]FIGS. 34 and 35 illustrate flowcharts of embodiments of methodsfor removing a device from a computer system once the device has beenunited with the computer system using a introduced bit, according tovarious aspects of the present invention;

[0053]FIG. 36 illustrates a block diagram of an embodiment of a computersubsystem including bus interface logics with master mode capabilities,according to one aspect of the present invention;

[0054]FIG. 37 illustrates a flowchart of an embodiment of a method foroperating in a master mode outside the operating system, according toone aspect of the present invention;

[0055]FIG. 38A illustrates a flowchart of an embodiment of a method forbooting a computer system including authentication via thecrypto-processor using master mode logic, while

[0056]FIG. 38B illustrates a flowchart of an embodiment of a method forbooting a computer system including authentication via the securityhardware using the master mode logic, according to various aspects ofthe present invention;

[0057]FIGS. 39A, 39B, and 39C illustrate block diagrams of embodimentsof computer systems 5000 for securing a device, a computer subsystem, ora computer system using timers to enforce periodic authentication,according to various aspects of the present invention;

[0058]FIGS. 40A and 40B illustrate flowcharts of embodiments of a methodfor securing a device, a computer subsystem, or a computer system, suchas a portable computer, by limiting use to finite periods of timebetween successive authorizations, according to various aspects of thepresent invention;

[0059]FIG. 41 illustrates a flowchart of an embodiment of a method forbooting a computer system including initializing a timer to enforceperiodic authentication and authorization, according to one aspect ofthe present invention; and

[0060]FIGS. 42A and 42B illustrate block diagrams of embodiments of thesystem management registers, according to various aspects of the presentinvention.

[0061] While the invention is susceptible to various modifications andalternative forms, specific embodiments thereof have been shown by wayof example in the drawings and are herein described in detail. It shouldbe understood, however, that the description herein of specificembodiments is not intended to limit the invention to the particularforms disclosed, but on the contrary, the intention is to cover allmodifications, equivalents, and alternatives falling within the spiritand scope of the invention as defined by the appended claims.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

[0062] Illustrative embodiments of the invention are described below. Inthe interest of clarity, not all features of an actual implementationare described in this specification. It will, of course, be appreciatedthat in the development of any such actual embodiment, numerousimplementation-specific decisions must be made to achieve thedevelopers' specific goals, such as compliance with system-related andbusiness-related constraints, which will vary from one implementation toanother. Moreover, it will be appreciated that such a development effortmight be complex and time-consuming, but would nevertheless be a routineundertaking for those of ordinary skill in the art having the benefit ofthis disclosure. The use of a letter in association with a referencenumber is intended to show alternative embodiments or examples of theitem to which the reference number is connected.

[0063] System Management Mode (SMM) is a mode of operation in thecomputer system that was implemented to conserve power. The SMM wascreated for the fourth generation x86 processors. As newer x86generation processors have appeared, the SMM has become relativelytransparent to the operating system. That is, computer systems enter andleave the SMM with little or no impact on the operating system.

[0064] Referring now to the drawings, and in particular to FIG. 2A, aflowchart of a prior art method of initializing a computer system usingcode stored in the BIOS 122 is shown. During initialization of the powersupply, the power supply generates a power good signal to the northbridge, in block 136. Upon receiving the power good signal from thepower supply, the south bridge (or north bridge) stops asserting thereset signal for the processor, in block 138.

[0065] During initialization, the processor reads the default jumplocation, in block 140. The default jump location in memory is usuallyat a location such as FFFF0h. The processor performs a jump to theappropriate BIOS code location (e.g. FFFF0h) in the ROM BIOS, copies theBIOS code to the RAM memory, and begins possessing the BIOS codeinstructions from the RAM memory, in block 142. The BIOS code, processedby the processor, performs a power-on self test (POST), in block 144.

[0066] The BIOS code next looks for additional BIOS code, such as from avideo controller, IDE controller, SCSI controller, etc. and displays astart-up information screen, in block 146. As examples, the videocontroller BIOS is often found at C000h, while the IDE controller BIOScode is often found at C800h. The BIOS code may perform additionalsystem tests, such as a RAM memory count-up test, and a systeminventory, including identifying COM (serial) and LPT (parallel) ports,in block 148. The BIOS code also identifies plug-and-play devices andother similar devices and then displays a summary screen of devicesidentified, in block 150.

[0067] The BIOS code identifies the boot location, and the correspondingboot sector, in block 152. The boot location may be on a floppy drive, ahard drive, a CDROM, a remote location, etc. The BIOS code next callsthe boot sector code at the boot location to boot the computer system,such as with an operating system, in block 154.

[0068] It is noted that for a cold boot or a hard (re)boot, all or mostof the descriptions given in blocks 136-154 may occur. During a warmboot or a soft (re)boot the BIOS code usually jumps from block 142 intoblock 148, skipping the POST, memory tests, etc.

[0069] In FIG. 2B, a flowchart of a prior art method of operating acomputer system in SMM using code stored in the BIOS 122 is shown. Aninterrupt controller receives a request for SMM, in block 172. Theinterrupt controller signals the request for SMM to the processor byasserting a system management interrupt (SMI#) signal, in block 174.

[0070] The processor recognizes the request for SMM and asserts an SMIACTive (SMIACT#) signal, in block 176. The system recognizes the SMIACT#signal, disables access to the system RAM, and enables access to systemmanagement RAM (SMRAM) space, in block 178.

[0071] The current processor state is saved to SMRAM, in block 180. Theprocessor resets to the SMM default state and enters SMM, in block 182.The processor next reads the default pointer and jumps to theappropriate place in SMRAM space, in block 184. In block 186, the sourceand/or nature of the SMI request is identified.

[0072] An SMI handler services the SMI request, in block 188. Afterservicing the SMI request, the SMI handler issues a return from SMM(RSM) instruction to the processor, in block 190. Upon operating on theRSM instruction, the processor restores the saved state information andcontinues normal operation, in block 192.

[0073]FIG. 3 illustrates a block diagram of an embodiment of a flowchartshowing data and command flow in a computer system having a secureexecution box 260, according to one aspect of the present invention.User input and output (I/O) data and/or commands 205 are provided to andreceived from one or more applications 210. The applications 210exchange data and commands with cryptography service providers 215within the computer system, such as the computer system 100 or any othercomputer system. The cryptography service providers 215 may use API(Application Programming Interface) calls 220 to interact with drivers225 that provide access to hardware 230.

[0074] According to one aspect of the present invention, the drivers 225and the hardware 230 are part of a secure execution box configured tooperate in a secure execution mode (SEM) 260. Trusted privacy, security,and ownership (PSO) operations, also referred to simply as securityoperations, may take place while the computer system is in SEM 260.Software calls propagated from the user I/O 205 and/or the applications210 may be placed into the secure execution box in SMM 260 via an SMMinitiation register 425B (or SMM initiator 425A) discussed below withrespect to FIG. 5B (or FIG. 5A). Parameters may be passed into and outof the secure execution box in SEM 260 via an access-protected mailboxRAM 415, also discussed below with FIGS. 5A and 5B. The software callshave access to the secure execution box in SEM 260 to various securityhardware resources, such as described in detail below.

[0075] In various embodiments of the present invention, power managementfunctions may be performed inside SEM 260. One current standard forpower management and configuration is the Advanced Configuration andPower Interface (ACPI) Specification. The most recent version isRevision 2.0, dated July 27, 2000, and available from the ACPI websitecurrently run by Teleport Internet Services, hereby incorporated hereinby reference in its entirety. According to the ACPI specification,control methods, a type of instruction, tell the system to go dosomething. The ACPI specification does not know how to carry out any ofthe instructions. The ACPI specification only defines the calls, and thesoftware must be written to carry out the calls in a proscribed manner.The proscribed manner of the ACPI specification is very restrictive. Onecannot access some registers in your hardware. To access thoseregisters, various aspects of the present invention generate an SMI# toenter SMM and read these registers. As power management has thepotential to be abused e.g. change the processor voltage and frequency,raised above operating limits to destroy the processor, or lowered belowoperating limits leading to a denial of service, ACPI calls should becarried out in a secure manner, such as inside SEM 260.

[0076] Inside SEM 260, each ACPI request can be checked against someinternal rules for safe behavior. Using terminology more completelydescribed below, the ACPI request would be placed in the inbox of themailbox, parameter values read from the inbox, the ACPI requestevaluated using the inbox parameters for acceptability, and then eithercarryout the request or not, based on the evaluation results. Foradditional details of various embodiments, see FIGS. 6, 42A, and 42Bbelow.

[0077]FIG. 4 illustrates a block diagram of an embodiment of a portionof an improved version of computer system 100 including securityhardware 370 in a south bridge 330, as well as a crypto-processor 305,according to one aspect of the present invention. The south bridge 330includes the security hardware 370, an interrupt controller (IC) 365,USB interface logic 134C, and the LPC bus interface logic (LPC BIL)134D. The IC 365 is coupled to the processor 102. The USB interfacelogic 134C is coupled through an optional USB hub 315 to a biometricdevice 320 and a smart card reader 325. The LPC bus 118 is coupled tothe south bridge 330 through the LPC BIL 134D. The crypto-processor 305is also coupled to the LPC bus 118. A memory permission table 310 withinthe Crypto-processor 305 provides address mappings and/or memory rangepermission information The memory permission table 310 may be comprisedin a non-volatile memory. A BIOS 355, i.e. some memory, preferablyread-only memory or flash memory, is coupled to the crypto-processor305. The security hardware 370 may include both security hardware andsecure assets protected by the security hardware. The security hardware370 in the south bridge 330 may be operable to provide an SMI interruptrequest to the IC 365 for the processor 102. The security hardware 370may also interact with the crypto-processor 305. Access to the BIOS 355is routed through the crypto-processor 305. The crypto-processor 305 isconfigured to accept and transfer access requests to the BIOS 355. Thecrypto-processor 305 therefore may understand the address mappings ofthe BIOS 305. According to one aspect of the present invention, thesecurity hardware 370 allows the computer system 100 to become anembodiment of the secure execution box 260 shown in FIG. 3.

[0078] In one embodiment, the crypto-processor 305 is configured toaccept an input from the biometric device 320 and/or the smart cardreader 325 over the USB interface, i.e. through the optional USB hub 315and the USB interface logic 134C, and over the LPC bus 118. Otherinterfaces, such as IDE or PCI, may be substituted. The crypto-processor305 may request one or more inputs from the biometric device 320 and/orthe smart card reader 325 to authenticate accesses to the BIOS 355,other storage devices, and/or another device or subsystem in thecomputer system 100.

[0079] It is noted that the IC 365 may be included in the processorinstead of the south bridge 330. The IC 365 is also contemplated as aseparate unit or associated with another component of the computersystem 100. It is also noted that the operations of the LPC bus 118 maycorrespond to the prior art Low Pin Count Interface SpecificationRevision 1.0 of Sep. 29, 1997. The operations of the LPC bus 118 mayalso correspond to the extended LPC bus disclosed in co-pending U.S.patent application Ser. No. 09/544,858, filed April 7, 2000, entitled“Method and Apparatus For Extending Legacy Computer Systems”, whoseinventor is Dale E. Gulick, which is hereby incorporated by reference inits entirety. It is further noted that the USB interface logic 134C maycouple to the LPC BIL 134D is any of a variety of ways, as is well knownin the art for coupling different bus interface logics in a bridge.

[0080]FIGS. 5A and 5B illustrate block diagrams of embodiments of thesouth bridge 330, including the security hardware 370, according tovarious aspects of the present invention. In FIG. 5A, the south bridge330A includes the security hardware 370A and IC 365. The securityhardware 370A includes sub-devices such as an SMM timing controller401A, an SMM access controller 402A, and control logic 420A. Thesub-devices may be referred to as security hardware or secure assets ofthe computer system 100. The SMM timing controller 401A includes an SMMindicator 405, a duration timer 406A, a kick-out timer 407A, and arestart timer 408. The SMM access controller 402A includes SMM accessfilters 410, mailbox RAM 415, and an SMM initiator 425A.

[0081] As shown in FIG. 5A, the control logic 420 is coupled to controloperation of the SMM timing controller 401A, the SMM access controller402A, and the SMM initiator 425A. Input and output (I/O) to the securityhardware 370A pass through the SMM access filters 410 and are routedthrough the control logic 420A.

[0082] The SMM timing controller 401A includes the duration timer 406A,which measures how long the computer system 100 is in SMM. The kick-outtimer 407A, also included in the SMM timing controller 401A, counts downfrom a predetermined value while the computer system 100 is in SMM. Thecontrol logic 420A is configured to assert a control signal (EXIT SMM404) for the processor to exit SMM, such as in response to theexpiration of the kick-out timer 407A. The restart timer 408, includedin the SMM timing controller 401A, starts counting down from apredetermined value after the kick-out timer 407A reaches zero. The SMMindicator 405, also included in the SMM timing controller 401A, isoperable to monitor the status of one or more signals in the computersystem, such as the SMI# (System Management Interrupt) signal and/or theSMIACT# (SMI ACTive) signal to determine if the computer system is inSMM.

[0083] The SMM access controller 402A includes the SMM access filters410, which are configured to accept input requests for the sub-deviceswithin the security hardware 370A. When the computer system 100 is inSMM, the SMM access filters are configured to pass access requests (e.g.reads and writes) to the control logic 420A and/or the targetsub-device. When the computer system 100 is not in SMM, the SMM accessfilters are configured to respond to all access requests with apredetermined value, such as all ‘1’s. The SMM access controller 402Aalso includes the mailbox RAM 415. In one embodiment, the mailbox RAM415 includes two banks of RAM, such as 512 bytes each, for passingparameters into and out of the secure execution box 260. Parameterspassed to or from the sub-devices included within the security hardware370 are exchanged at the mailbox RAM 415. One bank of RAM 415, an inbox,is write-only to most of all of the computer system in most operatingmodes. Thus, parameters to be passed to the sub-devices included withinthe security hardware 370 may be written into the inbox. During selectedoperating modes, such as SMM, both read and write accesses are allowedto the inbox. Another bank of RAM 415, an outbox, is read-only to mostof all of the computer system in most operating modes. Thus, parametersto be received from the sub-devices included within the securityhardware 370 may be read from the outbox. During selected operatingmodes, preferably secure modes, such as SMM, both read and writeaccesses are allowed to the outbox.

[0084] The SMM initiator 425A may advantageously provide for aconvenient way to request that the computer system 100 enter SMM. Asignal may be provided to the SMM initiator 425A over the request (REQ)line. The signal should provide an indication of the jump location inSMM memory. The SMM initiator 425A is configured to make a request forSMM over the SMM request (SMM REQ) line, for example, by submitting anSMI# to the interrupt controller 365. The SMM initiator 425A is alsoconfigured to notify the control logic 420A that the request for SMM hasbeen received and passed to the interrupt controller 365.

[0085] In FIG. 5B, the south bridge 330B includes the security hardware370B. The IC 365 is shown external to the south bridge 330B. Thesecurity hardware 370B includes an SMM timing controller 401B, an SMMaccess controller 402B, and control logic 420B. The SMM timingcontroller 401B includes an SMM indicator 405, a duration/kick-out timer407B, and a restart timer 408. The SMM access controller 402B includesSMM access filters 410 and mailbox RAM 415. An SMM initiation register425B is shown external to the south bridge 330B.

[0086] As shown in FIG. 5B, the control logic 420B is coupled to controloperation of the SMM timing controller 401B and the SMM accesscontroller 402B. Input and output (I/O) signals to the security hardware370B pass through the SMM access filters 410 and are routed through thecontrol logic 420B. The control logic 420B is also coupled to receive anindication of a request for SMM from the SMM initiation register 425B.

[0087] The SMM timing controller 401B includes the duration/kick-outtimer 407B measures how long the computer system 100 is in SMM; countingup to a predetermined value while the computer system 100 is in SMM. Thecontrol logic 420B is configured to assert a control signal for theprocessor to exit SMM in response to the duration/kick-out timer 407Breaching the predetermined value. The restart timer 408 starts countingdown from a predetermined value after the duration/kick-out timer 407Breaches the predetermined value. The SMM indicator 405 is operable tomonitor the status of one or more signals in the computer system, suchas the SMI# (System Management Interrupt) signal and/or the SMIACT# (SMIACTive) signal, to determine if the computer system is in SMM.

[0088] The SMM access controller 402B includes the SMM access filters410, which are configured to accept input requests for the sub-deviceswithin the security hardware 370B. When the computer system 100 is inSMM, the SMM access filters are configured to pass access requests (e.g.reads and writes) to the control logic 420B and/or the targetsub-device. When the computer system 100 is not in SMM, the SMM accessfilters may be configured to respond to all access requests with apredetermined value, such as all ‘1’s. The SMM access controller 402Balso includes the mailbox RAM 415, described above with respect to FIG.5A.

[0089] The SMM initiation register 425B may advantageously provide for aconvenient way to request that the computer system 100 enter SMM. Asignal may be provided to the SMM initiation register 425B over therequest (REQ) line. The signal should provide an indication of the jumplocation in SMM memory. The SMM initiation register 425B is configuredto provide the indication to the control logic 420B. The control logic420B is configured to make a request for SMM over the SMM request (SMMREQ) line, for example, by submitting an SMI# to the interruptcontroller 365.

[0090] It is noted that in the embodiment illustrated in FIG. 5A, theSMM initiator 425A includes internal logic for handling the SMM request.In the embodiment illustrated in FIG. 5B, the SMM initiation register425B relies on the control logic 420B to handle the SMM request. It isalso noted that the SMM initiator 425A is part of the security hardware370A, while the SMM initiation register 425B is not part of the securityhardware 370B.

[0091]FIG. 6 illustrates a block diagram of an embodiment of the southbridge 330C including security hardware 370C, according to one aspect ofthe present invention. As shown, the security hardware 370C includessub-devices, such as the SMM timing controller 401, the SMM accesscontroller 402, the control logic 420, a TCO counter 430, a monotoniccounter 435A, the scratchpad RAM 440, a random number generator 455,secure system (or SMM) management registers 470, OAR—(Open At Reset)locks 450, and an OAR override register 445. The SMM access controller402 includes one or more access locks 460 within the SMM access filters410. Some aspects of embodiments of the SMM timing controller 401, theSMM access controller 402, and the control logic 420 are describedherein with respect to FIGS. 5A and 5B, above.

[0092] The embodiment of the SMM access controller 402 illustrated inFIG. 6 includes the one or more access locks 460 within the SMM accessfilters 410. The access locks 460 provide a means of preventing (orlocking) and allowing (or unlocking) access to one or more of thedevices within the security hardware 370C. Various embodiments for theone or more access locks 460 are shown in FIGS. 17A-17C and describedwith reference thereto.

[0093] In one embodiment, the access locks 460 are open at reset (OAR),allowing the BIOS software access to the security hardware 370. The BIOSsoftware then closes the access locks 460 prior to calling the bootsector code, shown in block 154 in FIG. 2A. In various embodiments, theaccess locks 460 may be opened by software or hardware to allow foraccess to the security hardware 370. For example, the access locks 460may be opened by a signal from the IC 365 or the processor 102 (or 805Aor 805B from FIGS. 9A and 9B) or the control logic 420. The access locks460 may be opened in response to an SMI# or in response to the processor102 or 805 entering SMM. Additional information on the access locks 460may be obtained from one or more of the methods 1600A-1600C describedbelow with respect to FIGS. 16A-16C.

[0094] The TCO counter (or timer) 430 may include a programmable timer,such as a count-down timer, that is used to detect a lock-up of thecomputer system 100. Lock-up may be defined as a condition of thecomputer system 100 where one or more subsystems or components do notrespond to input signals for more than a predetermined period of time.The input signals may include internal signals from inside the computersystem 100 or signals from outside the computer system 100, such as froma user input device (e.g. keyboard, mouse, trackball, biometric device,etc.). It is also noted that the lock-ups may be software or hardware innature. According to various aspects of the present invention, the TCOcounter 430 may be programmed and read from inside SMM. The TCO counter430 is preferably programmed with value less than a default duration forthe kick-out timer 407. In one embodiment, the TCO timer 430 generatesan SMI# upon a first expiration of the TCO timer 430, and the TCO timer430 generates a reset signal for the computer system upon a second,subsequent expiration of the TCO timer 430.

[0095] In one embodiment, the TCO timer 430 may be accessed by thecomputer system 100 or software running in the computer system 100 forthe computer system 100 to recover from lock-ups when the computersystem is not in SMM. In another embodiment, the TCO timer 430 may beaccessed by the computer system 100 both in and out of SMM.

[0096] The monotonic counter 435A comprises a counter, preferably atleast 32 bits and inside the RTC battery well 125, which updates whenthe value stored in the monotonic counter 435A is read. The monotoniccounter 435A is configured to update the value stored to a new valuethat is larger than the value previously stored. Preferably, the newvalue is only larger by the smallest incremental amount possible,although other amounts are also contemplated. Thus, the monotoniccounter 435A may advantageously provide a value that is alwaysincreasing up to a maximum or rollover value. Additional details may befound below with respect to FIGS. 8, 12, and 13.

[0097] The scratchpad RAM 440 includes one or more blocks of memory thatare available only while the computer system 100 is in certain operatingmodes, such as SMM. It is also contemplated that other sub-devices ofthe security hardware 370 may use the scratchpad RAM 440 as a privatememory. One embodiment of the scratchpad RAM 440 includes 1 kB ofmemory, although other amounts of memory are also contemplated. In oneembodiment, the scratchpad RAM is open at reset to all or most of thecomputer system 100, while in another embodiment, the scratchpad RAM isinaccessible while the computer system is booting.

[0098] The random number generator (RNG) 455 is configured to provide arandom number with a number of bits within a predetermined range. In oneembodiment, a new random number with from 1 to 32 bits in length isprovided in response to a request for a random number. It is noted thatrestricting access to the RNG, such as only in SMM, may advantageouslyforce software to access the RNG through a standard API (applicationprogramming interface), allowing for increased security and easinghardware design constraints. Additional details may be found below withrespect to FIGS. 14 and 15.

[0099] The OAR locks 450 may include a plurality of memory units (e.g.registers), which include associated programming bit (or lock bits) thatlock the memory (or memories) used to store BIOS information or otherdata, for example, BIOS ROM 355 and SMM ROM 550 in FIGS. 7A and 7Bbelow. Each memory unit may have, by way of example, three lock bitsassociated with it. In one embodiment, four 8-bit registers may storethe lock bits for each 512 kB ROM-page, one register for every two 64-kBsegment. With sixteen blocks of four registers, a maximum of 8 MB of ROMmay be locked. Addressing may be as follows: 64-kB segment RegisterADDRESS 0, 1 Register 0 FFBx,E000h 2, 3 Register 1 FFBx,E001h 4, 5Register 2 FFBx,E002h 6, 7 Register 3 FFBx,E003h

[0100] Each physical ROM chip may include four identification pins(ID[3:0]), known as strapping pins. The strapping pins may be used toconstruct sixteen spaces of 64 kB each. The ‘x’ in the address mayrepresent the decode of the strapping pins, or the inverse.

[0101] The lock registers from the OAR locks 450 may include:Register\Bits 7 OAR Lock 6:4 3 OAR Lock 2:0 Register 0 Reserved Segment1 Reserved Segment 0 Register 1 Reserved Segment 3 Reserved Segment 2Register 2 Reserved Segment 5 Reserved Segment 4 Register 3 ReservedSegment 7 Reserved Segment 6

[0102] In one embodiment, one bit controls write access, one bitcontrols read access, and one bit prevents the other two bits from beingchanged. In one embodiment, once the locking bit is set (also describedas the state being locked down), the write access bit and read accessbit cannot be reprogrammed until the memory receives a reset signal. Thelayout of each register may include: Bit 7 6 5 4 3 2 1 0 Value RsvrdLock 2 Lock 1 Lock 0 Rsvrd Lock 2 Lock 1 Lock 0

[0103] With a decode of the three lock bits including: Read LockLock-Down Write Lock Decode Data 2 Data 1 Data 0 Resulting block state 0× 00 0 0 0 Full access 0 × 01 0 0 1 Write locked (default state) 0 × 020 1 0 Lock open (full access locked down) 0 × 03 0 1 1 Write locked down0 × 04 1 0 0 Read locked 0 × 05 1 0 1 Read and write locked 0 × 06 1 1 0Read locked down 0 × 07 1 1 1 Read and write locked down

[0104] The embodiment of the security hardware 370C illustrated in FIG.6 also includes the OAR override register 445. The OAR override register445 provides a mechanism for allowing (or unlocking) and preventing (orlocking) access to one or more of the devices within the securityhardware 370C. The OAR override register 445 also provides a mechanismto override the access locks 460. In one embodiment, the OAR overrideregister 445 includes a first indicator that the access locks 460 are tobe ignored, with access to the security hardware locked by the accesslocks 460 either always available or never available, as implemented.The OAR override register 445 may also include a second indicator thatthe status of the first indicator may be changed, or not. If the secondindicator shows that the first indicator may not be changed, then thedevice including the OAR override register 445 preferably needs resetfor the second indicator to be changed. In other words, the secondindicator is preferably OAR, similar to one embodiment of the accesslocks 460.

[0105] Methods that include using the access locks 460 and/or the OARoverride indicators are described below with respect to FIGS. 16A-16F.Various embodiments for the one or more access locks 460 are shown inFIGS. 17A-17C and described with reference thereto, and an embodiment ofthe OAR override register 445 is shown in FIG. 17D and described withreference thereto.

[0106] Example embodiments of the secure system management registers 470are shown below in FIGS. 98A and 98B and described therewith. Briefly,in one embodiment, the secure system management registers 470 includeone or more ACPI lock bits 9810 to secure various ACPI or relatedfunctions against unauthorized changes. The ACPI lock bits 9810, onceset, prevent changes to the ACPI or related functions. A request tochange one of the ACPI or related functions requires that a respectiveACPI lock bit 9810N be released before the respective one of the ACPI orrelated functions is changed. In another embodiment, the secure systemmanagement registers 470 include one or more ACPI range registers 9820and/or one or more ACPI rule registers 9830. Each ACPI range register9820 may be configured to store a value or values that define allowableor preferred values for a specific ACPI or related function. Each ACPIrule register 9830 may be configured to store part or all of a rule fordetermining if a change to one of the ACPI or related functions shouldbe allowed. Examples of ACPI or related functions include changing avoltage, changing a frequency, turning on or off a cooling fan, and aremote reset of the computer system.

[0107] In one embodiment, the access locks 460 are open at reset (OAR),allowing the BIOS software access to the security hardware 370. The BIOSsoftware then closes the access locks 460 prior to calling the bootsector code, shown in block 154 in FIG. 2A. In various embodiments, theaccess locks 460 may be opened by software or hardware to allow foraccess to the security hardware 370. For example, the access locks 460may be opened by a signal from the IC 365 or the processor 102 (or 805Aor 805B from FIGS. 9A and 9B) or the control logic 420. The access locks460 may be opened in response to an SMI# or in response to the processor102 or 805 entering SMM. Additional information on the access locks 460may be obtained from one or more of the methods 1600A-1600C describedbelow with respect to FIGS. 16A-16C.

[0108] It is noted that in one embodiment, all of the security hardware370 (and the SMM initiation register 425B are inside the RTC batterywell 125. In other embodiments, selected sub-devices of the securityhardware 370 are excluded from the RTC battery well 125. In oneembodiment, only a portion of the scratchpad RAM 440 is inside the RTCbattery well 125 with the remaining portion outside the RTC battery well125. For example, in one embodiment, the mailbox RAM 415 is outside theRTC battery well 125.

[0109]FIGS. 7A and 7B illustrate embodiments of extended BIOS security,according to various aspects of the present invention. In FIG. 7A, theBIOS ROM 355 and the SMM ROM 550 are coupled to the LPC bus 118. Asshown, a crypto processor 305, including a secret 610A, is coupledbetween the BIOS ROM 355 and the LPC bus 118. In FIG. 7B, an extendedBIOS ROM 555 is shown coupled to the LPC bus 118. The extended BIOS ROM555 includes the BIOS ROM 355 and the SMM ROM 550.

[0110] BIOS ROM 355 memory space in the computer system 100 may includeanywhere from 128 kB to 4 MB, divided into 64 kB segments. An additionalone or more 4 MB of SMM ROM 550 memory space may be addressed via apaging mechanism, for example, where the second page of ROM memory spaceis within separate chips and selected by an additional set ofidentification select (IDSEL) pins. Each segment of the BIOS ROM 355memory space and the SMM ROM 550 memory space may be lockable, and openat reset. In one embodiment, the access protection mechanism (i.e. thelock) is not implemented in the BIOS ROM 355 or SMM ROM 550, but, forexample, in the south bridge 330C in the security hardware 370C, aspreviously described with respect to FIG. 6.

[0111] In one embodiment, the BIOS ROM 355 includes 4 MB of memoryspace. Read access to the BIOS ROM 355 memory space may be unrestrictedat any time. Write locks on the BIOS ROM 355 memory space may be OAR andcover the memory space from FFFF,FFFFh to FFC0,0000h, in 32-bit addressspace on the LPC bus 145.

[0112] In one embodiment, the crypto processor 305 is a specializedprocessor that includes specialized cryptographic hardware. In anotherembodiment, the crypto processor 305 includes a general-purposeprocessor programmed with cryptographic firmware or software. In stillanother embodiment, the crypto processor 305 includes a general-purposeprocessor modified with specialized cryptographic hardware. Selectedmethods that may use or include the crypto processor 305 are describedwith respect to FIGS. 25A-26, with an example of a prior artchallenge-response authentication (or verification) method shown in FIG.28.

[0113] Other embodiments are also contemplated. For example, the BIOSROM 355 may be coupled to the LPC bus 118, and the crypto processor 305may be coupled between the SMM ROM 550 and the LPC bus 118. Also, thecrypto processor 305 may be coupled between the extended BIOS ROM 555and the LPC bus 118.

[0114]FIG. 7C illustrates an embodiment of protected storage 605,according to one aspect of the present invention. As shown, protectedstorage 605 is coupled to the LPC bus 118 and includes logic 609 andsecret 610B, in addition to its storage locations. The protected storage605 may include memory, such as RAM, ROM, flash memory, etc., or otherstorage media, such as hard drives, CDROM storage, etc. Although shownas a single unit, the protected storage is also contemplated as asub-system that includes separate components for storage and logic, suchas shown in FIG. 7D. According to FIG. 7D, a crypto-processor 305,including a secret 610A, is coupled in front of a protected storage605B. Access to the protected storage 605B is through thecrypto-processor 305. The protected storage 605B includes data storage608A, access logic 609B, a lock register 606, and code storage 607,including a secret 610B.

[0115]FIGS. 8A and 8B illustrates block diagrams of embodiments of aBIOS ROM 355 and an SMM ROM 550 for secure SMM operations, respectively,according to various aspects of the present invention. As shown in FIG.8A, the BIOS ROM 355 may include data storage 608B, a secret 610C, andprivate memory 606.

[0116] As shown in FIG. 8B, the SMM ROM 550 may be divided into aplurality of SMM ROM blocks 605-615, a stored secret 620, a plurality ofpublic ROM blocks 625-630, one or more reserved ROM blocks 635, one ormore registers 640, and a monotonic counter 435B.

[0117] The plurality of SMM ROM blocks 605-615 may include an SMM ROM 0block 605, an SMM ROM 1 block 610, and an SMM ROM 2 block 615. Theplurality of public ROM blocks 625-630 may include a public ROM block 0625 and a public ROM block 1 630. One embodiment of access rights, lockstatus, and 32-bit address ranges in the LPC bus 118 space are givenhere in table form. ROM READ WRITE ADDRESS BLOCK ACCESS LOCK RANGE SMMROM 0 SMM Write Once FFBx,1FFFh: FFBx,0000h 605 Only SMM ROM 1 SMM NeverErase FFBx,3FFFh FFBx,2000h 610 Only SMM ROM 2 SMM None FFBx,5FFFhFFBx,4000h 615 Only SMM Counter SMM None FFBx,7FFFh FFBx,6000h 620 OnlyPublic 0 Unrestricted Write Once FFBx,9FFFh FFBx,8000h 625 In SMM Public1 Unrestricted Never Erase, FFBx,BFFFh FFBx,A000h 630 Write in SMMReserved N/A N/A FFBx,DFFFh: FFBx,C000h 635 Registers N/A N/AFFBx,FFFFh: FFBx,E000h 640

[0118] The ‘x’ in the address ranges given in the table may denote thestrapping pin decode or their inverse. In one embodiment, the ROM blocks605-615 and 625-630 in the table are each 64 kB in size. In oneembodiment, the computer system may support up to 8 MB of extended BIOSROM 555 storage, divided into sixteen pages of 512 kB each. In anotherembodiment, the memory address range from FFBx,FFFFh down to FFBx,0000hincludes the plurality of SMM ROM blocks 605-615, the SMM counter 620,the plurality of public ROM blocks 625-630, the one or more registers640, and the monotonic counter 435B.

[0119] The one or more reserved ROM blocks 635 may be used for futureexpansion. The one or more registers 640 may store additional data, asneeded.

[0120] In one embodiment, the monotonic counter 435B is stored flat,such as a chain of 8-bit values in an 8K-byte ROM. This embodimentprovides 8K bits that counted by noting the number of changed bits (orthe most significant bit that is the different). It is noted that 8Kbits stored flat translates into 13 bits binary (i.e. 8×1024=8192 2¹³)The monotonic counter 435B is initially in the erased state, such aswith all bits set to one. Any time the computer system is reset as aresult of a power failure and there is an invalid RTC checksum, such aswhen the RTC battery 113 is not present, boot software inspects themonotonic counter 435B and updates it. The boot software may look forthe most significant byte including at least one changed bit, such aszero. Initially, byte 0 (zero) is chosen when the monotonic counter 435Bis in the erased state. Typically, the RTC checksum 127 is typicallycalculated by boot code from the BIOS whenever it updates the CMOS RAM126A in the RTC battery well 125. The RTC checksum 127 is then stored inthe RTC RAM 126B, also in the RTC battery well 125, which also holdsdate and time data. Typically, the RTC RAM 126B may be 256 bytes insize.

[0121] Flat encoding of the monotonic counter 435B is preferred to othermethods of encoding primarily when the monotonic counter 435B is storedin flash memory. Other methods of encoding may be preferred when othermemory types are used to store the values for the monotonic counter435B. One consideration in choosing the method of encoding is whichmethod of encoding provides for a maximum use.

[0122] Continuing with the above embodiment for updating the monotoniccounter 435B, the next most significant bit, in the most significantbyte including at least one zero, is set to zero. For example, if bytefive of the monotonic counter 435B returns 0000,0000b and byte six ofthe monotonic counter 435B returns 1111,0000b, then the boot softwarewill write byte six of the monotonic counter 435B as 1111,0000b. If bytefive of the monotonic counter 435B returns 0000,0000b and byte six ofthe monotonic counter 435B returns 1111,1111b, then the boot softwarewould write byte six of the monotonic counter 435B as 1111,1110b.

[0123] Reading the monotonic counter 435B as the most significant bitsand the monotonic counter 435A shown in FIG. 6 as the least significantbits, a 45-bit monotonic counter 435 may be read to obtain analways-increasing 48-bit value, when monotonic counter 435B provides 13bits and monotonic counter 435A provides 32 bits. In this embodiment,the monotonic counter 435A provides bytes zero, one, two, and three,while the monotonic counter 435B provides bytes four and five of the sixbyte value. Numbers of bits other than 45 are likewise contemplated.

[0124] Two special conditions are contemplated. If the monotonic counter435A is read when storing the default or erased value, such as all ones,then the monotonic counter 435B in the SMM ROM 550 is updated. If themonotonic counter 435B in the SMM ROM 550 is updated a predeterminednumber of times, such as 65,536 times, then the boot software must erasethe monotonic counter 435B in the SMM ROM 550 and start over with thedefault value, e.g. all ones.

[0125] By way of example and not limitation, consider the monotoniccounter 435A and the monotonic counter 435B each storing one byte ofeight bits. For this example, the monotonic counter 435A, in the southbridge 330, returns with ‘00001111’, while the monotonic counter 435B,in the SMM ROM 550, returns ‘11110000’. The value from the flat encodedmonotonic counter 435B is converted to standard binary as ‘00000100b’.The 16-bit monotonic value becomes ‘000001000000111b’ when the binaryvalue from monotonic counter 435B is combined with the binary value frommonotonic counter 435A.

[0126] A flat encoding may advantageously allow for increasedreliability if the monotonic counter 435B is stored in flash memory.Updating the monotonic counter 435B has no cost, while erasing the flashmemory does have a cost in long-term reliability. The monotonic counter435B should be stored in non-volatile memory. Other memory typescontemplated include encapsulated RAM with an included power supply.

[0127] One use of the monotonic counters 435A and 435B is as a sourcefor a nonce. Each nonce must be different. Differences may bepredictable or unpredictable. Nonces may be used to help prevent replayattacks. When a message is encrypted, changing even one bit changes theencrypted message. Any strong encryption method distributes even aone-bit change extensively. A nonce may be used in a challenge-responsemethod, such as described below.

[0128] Providing the monotonic counters 435A and 435B as two counters,instead of one, may advantageously allow for larger values whileminimizing the number of bits stored in the non-volatile memory. Accessto the monotonic counter 435A is typically faster than access to themonotonic counters 435B, so monotonic counter 435A may be usedindependently when a fast access time is important, so long as thelength of the monotonic value stored in the monotonic counter 435A isadequate for the desired purpose.

[0129]FIGS. 9A and 9B illustrate block diagrams of embodiments ofcomputer systems 800A and 800B that control the timing and duration ofSMM, according to various aspects of the present invention. FIGS. 9A and9B include a processor 805, a north bridge 810, memory 106, and thesouth bridge 330. The processor includes an SMM exit controller 807 andone or more SMM MSRs (machine specific registers) 807. The north bridge810 includes a memory controller 815. The south bridge 330 includes theSMM timing controller 401 and the scratchpad RAM 440. The north bridge810 is coupled between the processor 805 and the south bridge 330, tothe processor 805 through a local bus 808 and to the south bridge 330through the PCI bus 110. The north bridge 810 is coupled to receive theSMIACT# signal from the processor 805.

[0130] In the embodiment of FIG. 9A, the computer system 800A signalsthat the processor 805 is in SMM using standard processor signals (e.g.SMIACT# to the north bridge 810) and/or bus cycles on the local bus 808and PCI bus 110. In the embodiment of FIG. 9B, the computer system 800Bsignals that the processor 805 is in SMM using standard processorsignals (e.g. SMIACT#) to both the north bridge 810 and the south bridge330. An exit SMM signal 404 is also shown between the SMM timingcontroller 401 and the SMM exit controller 806.

[0131] While the processor 805 is in SMM, the processor 805 knows thatit is in SMM and asserts SMIACT# to either the north bridge 810 and/orthe south bridge 330. The processor 805 may, for example, set and readone or more hardware flags or signals associated with SMM. Thesehardware flags or signals may be in the processor 805, or in the northbridge 810. In one embodiment, the north bridge 810 receives the SMIACT#signal and in response to receiving the SMIACT# signal, signals thesouth bridge 330 that the processor is in SMM by sending a special buscycle or an encoded bus cycle over the PCI bus 110. In anotherembodiment, the SMIACT# signal is received directly by the south bridge330.

[0132] In one embodiment, an SMM-specific hardware flag at an internalmemory interface in the processor 805 is set when the processor 805enters SMM. Any address call by the processor 805 is routed through theinternal memory interface. The internal memory interface determineswhere the address call should be routed. If the SMM-specific hardwareflag is set, then memory calls to SMM memory addresses are recognized asvalid SMM memory calls. If the SMM-specific hardware flag is not set,then memory calls to SMM memory addresses are not recognized as validSMM memory calls.

[0133] It is noted that other buses using other bus protocols may couplethe processor 805, the north bridge 810, and the south bridge 330. Thesebuses may use bus protocols that include a bus cycle that indicates thatthe computer system 800 is in SMM. It is also noted that processorsignals other than SMIACT# may be directly received by the south bridge330, such as the SMI# signal or another dedicated signal.

[0134] The SMM exit controller 806 in the processor 805 is configured toreceive a request to the processor 805 to exit SMM. In one embodiment,the SMM exit controller 806 is operable to exit SMM prior to completingthe task for which the SMI# was originally asserted that led to theprocessor 805 being in SMM. Upon receiving the request to exit SMM, theSMM exit controller 806 is configured to read the contents of the one ormore SMM MSRs 807 to obtain a jump location for a clean-up routine,preferably stored in ROM, in SMM memory space. The SMM MSRs 807 may alsostore one or more bits to indicate that an SMM routine has beeninterrupted and/or a re-entry point (e.g. an address in SMM memoryspace) in the interrupted SMM routine. The SMM exit controller 806 maybe configured to store the one or more bits indicating that the SMMroutine has been interrupted and the re-entry point.

[0135]FIG. 10A illustrates a block diagram of one embodiment of aflowchart of a method for forcing the processor 805 out of SMM early,according to one aspect of the present invention. The method includeschecking if the computer system is in SMM in decision block 905. If thecomputer system is not in SMM in decision block 905, then the methodcontinues checking to determine if the computer system is in SMM indecision block 905. If the computer system is in SMM in decision block905, then the method initiates the kick-out timer 407 in block 910.

[0136] The method next checks to determine if the kick-out timer 407 hasexpired in decision block 915. If the kick-out timer 407 has notexpired, then the method continues checking to determine if the kick-outtimer 407 has expired in decision block 915. If the kick-out timer 407has expired in decision block 915, then the method transmits a requestto the processor to exit SMM without completing the SMI request thatinvoked SMM, in block 920. The processor saves the state of the SMMsession without finishing the SMM session and exits SMM, in block 925.

[0137] The request to the processor to exit SMM, in block 920, mayinclude submitting an RSM (Resume from System Management mode)instruction, or other control signal delivered over the system bus, tothe processor. Upon executing the RSM instruction, or receiving thecontrol signal through the interface logic to the system bus, theprocessor exits SMM and the processor's previous state is restored fromsystem management memory. The processor then resumes any applicationthat was interrupted by SMM. In another embodiment, the request to theprocessor to exit SMM includes another device in the computer system,such as the south bridge, asserting a control signal, such as the exitSMM signal, to the processor to exit SMM.

[0138] The processor saving the SMM state, in block 925, may includesetting a bit to indicate that the SMM session was not finished. If theSMM code has multiple entry points, then the processor may also save anindication of which entry point should be used upon re-entering SMM, tofinish the unfinished SMM session. These indications may be saved in anyof a number of places, such as the one or more SMM MSRs 807 or thescratchpad RAM 440. It is also contemplated that another specificstorage location could be designed into or associated with the processor805, the north bridge 810, the interrupt controller 365, and/or thesouth bridge 330.

[0139]FIG. 10B illustrates a block diagram of an embodiment of aflowchart of a method for reinitiating SMM a preselected period of timeafter the early termination of SMM, according to one aspect of thepresent invention. It is noted that FIG. 10B may be a continuation ofthe method shown in FIG. 10A, or a stand-alone method. The method ofFIG. 10B includes initiating the restart timer 408, in block 1010. Themethod checks if the restart timer 408 has expired, in decision block1015. If the restart timer 408 has not expired, then the methodcontinues checking to determine if the restart timer 408 has expired, indecision block 1015.

[0140] If the restart timer 408 has expired in decision block 1015, thenthe method asserts an SMI request to the processor, in block 1020. Theprocessor enters SMM and looks for an entry indicating that a previousSMM session has been ended prior to fulfilling the previous SMM request,in block 1025. The entry may be, as examples, a flag bit that has beenset, or a stored jump location in a default location. The method checksfor an unfinished SMM session in decision block 1030. If there is nounfinished SMM session in decision block 1030, then the method starts anew SMM session, in block 1035. If there is unfinished SMM session indecision block 1030, then the method reads the saved status informationabout the previous SMM session, in block 1040, and continues theprevious SMM session, in block 1045. It is noted that the method maymake use of the saved status information, from block 1040, whencontinuing the previous SMM session, in block 1045.

[0141]FIGS. 11A and 11B illustrate flowcharts of embodiments of methods1100A and 1100B for upgrading the monotonic counter 435B, which may bestored in the SMM ROM 550, according to various aspects of the presentinvention. The method 110A, shown in FIG. 11A, includes checking the RTCchecksum, in block 1105. In decision block 1110, if the RTC checksum isvalid, then the method 1100A exits. In decision block 1110, if the RTCchecksum is not valid, then the method 1100 inspects the monotoniccounter 435B in the SMM ROM 550 in block 1115. In decision block 1120A,the method checks if the value stored in the monotonic counter 435B inthe SMM ROM 550 is the default (e.g. reset or rollover) value.

[0142] In decision block 1120A, if the value stored in the monotoniccounter 435B in SMM ROM 550 is the default value, then the method 1100Aupdates the value stored in the monotonic counter 435B to an incrementalvalue, in block 1130A, preferably the smallest possible incrementalvalue. In decision block 1120A, if the value stored in the monotoniccounter 4355B in the SMM ROM 550 is not equal to the default value, thenthe method 1100A identifies the value stored in monotonic counter 435Bin the SMM ROM 550, in block 1125A. After identifying the value stored,in block 1125A, the method 1100A updates the value stored in themonotonic counter 435B in the SMM ROM 550 by the incremental value, inblock 1135A.

[0143] The method 1100B, shown in FIG. 11B, includes checking the RTCchecksum, in block 1105. In decision block 1110, if the RTC checksum isvalid, then the method 1100A exits. In decision block 1110, if the RTCchecksum is not valid, then the method 1100 inspects the monotoniccounter 435B in the SMM ROM 550 in block 1115. In decision block 1120B,the method checks if the values stored in the monotonic counter 435B inthe SMM ROM 550 are all ones.

[0144] In decision block 1120B, if all values in the monotonic counter435B in SMM ROM 550 are equal to one (i.e. the reset value), then themethod 1100B updates the first byte so that a zero is stored as theleast significant bit in block 1130B. In decision block 1120B, if allvalues in the monotonic counter 435B in the SMM ROM 550 are not equal toone, then the method 1100B identifies the highest numbered byte with azero in a most significant bit location, in block 1125B, or the firstbyte if no byte has a zero in the most significant bit position. Afteridentifying a highest numbered byte with a zero in its most significantbit location or the first byte, in block 1125B, the method 1100B updatesthe next highest numbered byte or the first byte with a zero in its nextmost significant bit location without a zero, in block 1135B.

[0145]FIGS. 12A and 12B illustrate flowcharts of embodiments methods1200A and 1200B for updating a monotonic counter 435A in the southbridge 330, according to various aspects of the present invention. Themethod 1200A checks to see if the value stored in the monotonic counter435A in the south bridge 330 is the maximum value that can be stored, indecision block 1205A. If the value stored in the monotonic counter 435Ain the south bridge 330 is not the maximum value, in decision block1205, then the method 1200A exits. If the value stored in the monotoniccounter 435A in the south bridge 330 is the maximum value that can bestored, in decision block 1205, then the method 1200A inspects themonotonic counter 435B in the SMM ROM 550 in decision block 1210. Themethod 1200A checks to see if the value stored in the monotonic counter435B in the SMM ROM 550 is the default (or reset) value, in decisionblock 1215A.

[0146] If in decision block 1215A, the value stored in the monotoniccounter 435B in the SMM ROM 550 is the default value, then the method1200A updates the value stored in the monotonic counter 435B in the SMMROM 550 with an incremental value, in block 1225A, preferably thesmallest possible incremental value. If, in decision block 1215A, thevalue stored in the monotonic counter 435B in SMM ROM 550 is not thedefault value, then the method 1200A identifies the value stored in themonotonic counter 435B in the SMM ROM 550, in block 1220A. After themethod 1200A identifies value stored, in block 1220, the method 1200Aupdates the value stored in the monotonic counter 435B in the SMM ROM550 by the incremental value, in block 1230A.

[0147] The method 1200B, shown in FIG. 12B, checks to see if all valuesin the monotonic counter 435A in the south bridge 330 are equal to one(i.e. the reset value), in decision block 1205B. If all values in themonotonic counter 435A in the south bridge 330 are not equal to one, indecision block 1205B, then the method 1200B exits. If all values in themonotonic counter 435A in the south bridge 330 are equal to one, indecision block 1205B, then the method 1200B inspects the monotoniccounter 435B in the SMM ROM 550, in decision block 1210. The method1200B checks to see if all values in the monotonic counter 435B in theSMM ROM 550 are equal to one, in decision block 1215B.

[0148] If in decision block 1215B, all values in the monotonic counter435B in the SMM ROM 550 are equal to one, then the method 1200B updatesthe first byte with a zero in its least significant bit, in block 1225B.If, in decision block 1215B, all values in the monotonic counter 435B inSMM ROM 550 are not equal to one, then the method 1200B identifies thehighest numbered byte with a zero in its most significant bit location,in block 1220B, or the first byte if no byte has a zero in the mostsignificant byte location. After the method 1200B identifies the highestnumbered byte with a zero in its most significant bit location or thefirst byte, in block 1220B, the method 1200B upgrades the next highestnumbered byte, or the first byte, with a zero in the next mostsignificant bit location, in block 1230B.

[0149]FIG. 13A and FIG. 13B illustrate block diagrams of flowcharts ofembodiments of methods 1300A and 1300B for providing a value from amonotonic counter 435 in the computer system, according to variousaspects of the present invention. The method 1300A receives a requestfor a value from the monotonic counter 435 in block 1305. The method1300A requests the value from the monotonic counter 435A in the southbridge 330 in block 1310. The method 1300A updates the value in themonotonic counter 435A in south bridge 330 in block 1315. The method1300A checks the updated value from monotonic counter 435A in the southbridge 330 for a rollover value, in block 1320.

[0150] In decision block 1325, if the rollover value has been reached,then the method 1300A updates the value in the monotonic counter 435B inthe SMM ROM 550 in block 1320. If the rollover value has not reached indecision block 1325, or if the method 1300A has updated the value in themonotonic counter 435A in the SMM ROM 550 in block 1330, then the method1300A provides the updated value from the monotonic counter 435A in thesouth bridge 330 in block 1335.

[0151] The method 1300B requests the value from the monotonic counter435B in the SMM ROM 550, in block 1340. The method 1300B receives thevalue from the monotonic counter 435B in the SMM ROM 550 in block 1345.The value from the monotonic counter 435A in the south bridge 330 iscombined with the value from the monotonic counter 435B in the SMM ROM550 in block 1350. The method 1300B provides the combined value inresponse to the request for the value from the monotonic counter inblock 1355.

[0152] As noted above, the monotonic counter 435A in the south bridge330 may include a 32-bit value, while the monotonic counter 435B in theSMM ROM 550 may include a 15-bit value. The returned value from themonotonic counter 435, provided in response to the request for the valueof the monotonic counter, would then include a 45-bit value.

[0153] It is noted that the 32-bit value from the monotonic counter 435Ain the south bridge 330 may be provided by software instead of beingread from the south bridge 330. In the software embodiment, the softwareitself provides a 32-bit, always increasing, i.e. monotonic value, whichis combined with the value from the monotonic counter 435B in the SMMROM 550 to provide a unique 45-bit value. It is also noted that the sizeof the monotonic counters 435A and 435B in the south bridge 330 and inthe SMM ROM 550, respectively, may be designed with other bit sizes, asdesired.

[0154] Although the methods 1100A, 1100B, 1200A, and 1200B show updatesto the monotonic counters 435A and 435B as being in-line with monotonicvalue requests, it is also contemplated that software or hardware may beused to update the monotonic counters 435A and 435B separately from themonotonic value requests. Such updates could occur, for example, afterthe monotonic value request that leads to the monotonic value reachingthe rollover value.

[0155]FIGS. 14A and 14B illustrate block diagrams of embodiments ofprocessors 805A and 805B, including random number generators 455A and455B using entropy registers 1410, according to one aspect of thepresent invention. The RNG 455 in FIG. 6 may also use an entropyregister 1410, similar to what is shown here. FIG. 14A shows anembodiment of a processor 805A, which includes a plurality ofperformance registers 1405A-1405N coupled through a plurality of bitlines 1406 to a random number generator 455A. FIG. 14B shows anotherembodiment of a processor 805B, which includes the plurality ofperformance registers 1405A-1405N coupled through a plurality of bitlines 1406 to a random number generator 455B.

[0156] Common to both FIGS. 14A and 14B, the performance registers 1405Athrough 1405N each store a value indicative of a different performancemetric. Exemplary performance metrics may include first-level-cache hitrate, second-level-cache hit rate, third-level-cache hit rate, branchtarget cache, and/or other model specific registers (MSRs), such asthose used for measuring performance. In one embodiment, the performanceregisters include any register that updates the least significant bit ata rate asynchronous to the local and/or system clock.

[0157] In one embodiment, each of the plurality of bit lines 1406 couplebetween the least significant bit entry in one of the performanceregisters 1405 and an entry in an entropy register 1410 in the RNG 455.Each entry of the entropy register 1410 may couple to a different one ofthe performance registers 1405. In another embodiment, each entry of theentropy register 1410 may couple to one or more entries in one or moreof the performance registers 1405 or other sources of single bits withinthe processor 805.

[0158]FIG. 14A includes the RNG 455A, which also includes an entropycontrol unit 1415 coupled to receive a request over a request line (REQ)from the processor 805A for a random number over output lines (RN). Theentropy control unit 1415 is configured to assert a control signal (C)to the entropy register 1410 and read out the value in the entropyregister 1410 over the data lines (D). The entropy control unit 1415 isfurther configured to provide the random number from the entropyregister 1410 over the output lines (RN) in response to the request line(REQ) being asserted by the processor 805A.

[0159]FIG. 14B includes the RNG 455B, which includes the entropyregister 1410. The entropy register 1410 of FIG. 14B may be read by theprocessor 805B. The entropy register 1410 latches the values receivedover plurality of bit lines 1406 upon receiving a clocking signal (CLK).The random number from the entropy register 1410 may then be read outover the output lines (RN) by the processor 805B.

[0160] It is noted that the RNG 455A and the RNG 455B may be included inother devices in the computer system other than the processor 805.Contemplated locations for the RNG 455A and the RNG 455B include thenorth bridge 810 and the south bridge 330. It is also noted that theperformance registers 1405 are not normally accessible to a user of theprocessor 805 once the processor 805 is in a computer system, as theperformance registers 1405 are primarily used for testing during thedesign and engineering stages of the manufacturing process. This mayadvantageously allow for better randomness with less likelihood oftampering with the random number obtained from the entropy register1410.

[0161]FIG. 15 illustrates a block diagram of another embodiment of arandom number generator 455C, according to one aspect of the presentinvention. The RNG 455C includes a plurality of ring oscillators(RO0-RO7) 1514A-1514H, a linear feedback shift register (LFSR) 1515, adigital to analog converter (D/A) 1520, a voltage controlled oscillator(VCO) 1525, a sample and hold circuit 1530, a cyclic redundancy codegenerator 1535 (CRC), a self test circuit 1511, a multiplexer (MUX)1545, and a counter 1540.

[0162] The CLK signal 1505 is received by the RNG 455C by the LFSR 1515,the sample and hold circuit 1530, the CRC 1535, and the counter 1540.Either a system reset signal (SYSTEM_RESET) 1507 or a read strobe(READ_STROBE) are received by the counter 1540 at the reset (RST) inputport. The LFSR 1515 receives output signals of each of the ringoscillators (RO0-RO7) 1514A-1514H at one input port (RO[7:0]) and theoutput signals of the sample and hold circuit at another input (IN)terminal. A plurality of values are provided by the LFSR 1515 at theoutput (OUT) terminal. As shown, one of the plurality of valuesdelivered by the LFSR 1515 is XORed with the CLK signal 1505 before allof the plurality of values provided by the LFSR 1515 are delivered tothe D/A 1520. The analog output signal of the D/A 1520 is provided as acontrol signal to the VCO 1525.

[0163] The output of the VCO 11525 is provided to the input (IN)terminal of the sample and hold circuit 1530 and clocked on the CLKsignal 1505. The output (OUT) signal of the sample and hold circuit 1530is provided to the input terminal of the CRC 1535 and clocked on the CLKsignal 1505, as well as to the IN terminal of the LFSR 1515, asdescribed above. A plurality of output values is provided to the MUX1545 through the CRC output port (OUT). The MUX 1545 selects between theoutput values of the CRC 1535 and ground (GND). The MUX 1545 providesthe random number over output lines (RN[31:0]).

[0164] A request for a random number over the read strobe line(READ_STROBE) results in the counter 1540 counting a prerequisite numberof clock cycles prior to asserting a signal (FULL) to the selectioninput (SEL) of the MUX 1545. The FULL signal may also be read by therequestor of the random number as a signal (DONE) that the requestedrandom number is available over the RN[31:0] lines. The system resetsignal 1507 also asserts a signal on the reset input terminal of thecounter 1540. A self test circuit 1511 may be present to provide a knownvalue to the MUX 1545 to be read on the RN[31:0] lines in place of arandom number generated by the RNG 455C.

[0165] The RNG 455C is preferably configured to meet all appropriaterequirements for an RNG in Federal Information Processing StandardsPublication FIPS-140-1, entitled SECURITY REQUIREMENTS FOR CRYPTOGRAPHICMODULES, issued on Jan. 11, 1994, by the U.S. National Institute ofStandards and Technology (NIST), which is hereby incorporated byreference. The Federal Information Processing Standards PublicationSeries of the NIST is the official series of publications relating tostandards and guidelines adopted and promulgated under the provisions ofSection 111(d) of the Federal Property and Administrative Services Actof 1949 as amended by the Computer Security Act of 1987, Public Law100-235.

[0166] It is noted that for increased randomness, the ring oscillators1514A-1514H may be operated at frequencies and phases that do notcorrelate between or among the plurality of ring oscillators 1514. It isalso noted that the RNG 455C may be included in locations other than thesouth bridge 330. Contemplated locations include the processor 805 andthe north bridge 810.

[0167] FIGS. 16A-16G illustrate flowcharts of embodiments of methods1600A-1600G that attempt to access the security hardware 370, which maybe locked, according to various aspects of the present invention. FIG.16A shows a method 1600A of locking the security hardware 370 as a partof the boot (or cold reboot) process. FIG. 16B shows a method 1600B ofunlocking and later locking the security hardware 370 as a part of areboot (or warm boot) process. FIG. 16C shows a method 1600C of checkingfor rights to lock or unlock the security hardware 370 and checking abit to disable changing the rights. FIG. 16D shows a method 1600D ofattempting to use the security hardware 370 while the computer system100 is not in SMM. FIG. 16E shows a method 1600E of checking and/orsetting the lock on the OAR access locks 460 and checking the bit todisable changing the lock. FIG. 16F shows a method 1600F of unlockingand later locking the security hardware 370 while the computer system100 is in SMM. FIG. 16G shows a method 1600G of checking for rights tounlock and later lock the security hardware 370 while the computersystem 100 is in SMM.

[0168] Referring now to FIG. 16A, the method 1600A includes theprocessor executing the BIOS code instructions from SMM space in the RAMmemory, in block 1620. The BIOS code, executed by the processor,performs a power-on self test (POST), in block 1625. The method 1600Aincludes accessing the security hardware 370, in block 1630. Theaccesses to the computer hardware 370 may initiate an unlocking of thesecurity hardware 370, if the security hardware 370 is notopen-at-reset. The accesses to the security hardware 370 may be by theBIOS code or other device or subsystem in the computer system 100, orfrom outside the computer system 100, if allowed. The method 1600A mayoptionally include entering a BIOS management mode, in block 1632. TheBIOS management mode could allow for, for example, remote bootinginstructions, remote or secure permission to continue the boot sequence,other remote operations or remote hardware accesses or set-ups, orchoosing between or among boot choices, such as hardware configurationsand/or operating systems or other software choices.

[0169] The BIOS code next looks for additional BIOS code, such as from avideo controller, IDE controller, SCSI controller, etc. and displays astart-up information screen, in block 1635. As examples, the videocontroller BIOS is often found at C000h, while the IDE controller BIOScode is often found at C800h. The BIOS code may perform additionalsystem tests, such as a RAM memory count-up test, and a systeminventory, including identifying COM (serial) and LPT (parallel) ports,in block 1640. The BIOS code also identifies plug-and-play devices andother similar devices and then displays a summary screen of devicesidentified, in block 1645.

[0170] The method includes closing the access locks to the securityhardware, in block 1650. The BIOS code or another device or agent in thecomputer system 100 may close the access locks. The BIOS code identifiesthe boot location, and the corresponding boot sector, in block 1655. Theboot location may be on a floppy drive, a hard drive, a CDROM, a remotelocation, etc. The BIOS code next calls the boot sector code at the bootlocation to boot the computer system, such as with an operating system,in block 1660.

[0171] Referring now to FIG. 16B, the method 1600B includes opening theaccess locks to the security hardware, in block 1615. The processorexecutes the BIOS code instructions from SMM space in the RAM memory, inblock 1620. The computer system accesses the security hardware 370 whilein SMM, while booting, in block 1630. The method 1600B may optionallyinclude entering a BIOS management mode, in block 1632.

[0172] The BIOS code next looks for additional BIOS code, such as from avideo controller, IDE controller, SCSI controller, etc. and displays astart-up information screen, in block 1635. As examples, the videocontroller BIOS is often found at C000h, while the IDE controller BIOScode is often found at C800h. The BIOS code also identifiesplug-and-play devices and other similar devices and then displays asummary screen of devices identified, in block 1645.

[0173] The BIOS code closes the access locks to the security hardware,in block 1650. The BIOS code identifies the boot location, and thecorresponding boot sector, in block 1655. The boot location may be on afloppy drive, a hard drive, a CDROM, a remote location, etc. The BIOScode next calls the boot sector code at the boot location to boot thecomputer system, such as with an operating system, in block 1660.

[0174] Turning now to FIG. 16C, the method 1600C includes decidingwhether to set the OAR-lock, in decision block 1646. The OAR-lock indecision block 1646 may correspond to the first indicator describedabove with respect to FIG. 6. The OAR-lock in decision block 1646 mayalso correspond to setting the OAR lock override bit 1750 describedbelow with respect to FIG. 17D. If the decision is made to set theOAR-lock, then, according to one embodiment, all access to the securityhardware 370 is blocked, in block 1647. If the decision is made not toset the OAR-lock, then the method 1600C moves to decision 1648. Indecision block 1648, the method 1600C decides whether to set theOAR-lock change bit. The OAR-lock change bit in decision block 1648 maycorrespond to the second indicator described above with respect to FIG.6. The OAR-lock change bit in decision block 1648 may also correspond tosetting the change OAR lock override bit 1755 described below withrespect to FIG. 17D. If the decision is made to set the OAR-lock changebit, in decision block 1648, then, according to one embodiment, theOAR-lock cannot be changed, thereafter, as changes to the OAR-lock arethemselves locked out, in block 1649.

[0175] Turning now to FIG. 16D, the method 1600D includes a processor,such as processors 102, 805, etc., operating in a mode that is not SMM,in block 1604. In block 1606, code being processed by the processorattempts to access any part of the security hardware 370, or otherhardware whose access may require a check of an access lock similar tothe access locks 460. The method checks, at decision block 1607, to seeif the security hardware 370 is available. If the security hardware 370is not available, at decision block 1607, then the method 1600D exits orreturns. If the security hardware 370 is available, at decision block1607, then the method 1660D accesses the security hardware 370, at block1630. The method, optionally, closes the access locks to the securityhardware, if necessary, at block 1650.

[0176] Turning now to FIG. 16E, the method 1600E includes an embodimentof decision block 1607 from FIG. 16D. The method 1600E includes checkingif access to all security hardware is locked out, i.e. forbidden, atdecision block 1690. If access to all security hardware is locked out,then at decision block 1690 the method 1600E moves to decision block1692. If access to all security hardware is not locked out, then themethod 1600E moves to decision block 1691. In decision block 1691, themethod 1600E checks if the requested security hardware is locked out(e.g. separately using one or more access locks).

[0177] If the requested security hardware is locked out, then the method1660E moves to decision block 1692. If the requested security hardwareis not locked out, then the method 1660E moves directly to block 1693.In decision block 1692, the method 1660E checks if the access lock forthe requested security hardware can be changed, e.g., unlocked. If theaccess lock for the requested security hardware cannot be changed, thenin decision block 1692 the method 1600E aborts the access to thesecurity hardware. If the access lock for the requested securityhardware can be changed, then in decision block 1692 the method 1600Erequests authorization, such as from a user, to change the access lockfor the requested security hardware, in decision block 1693. If theauthorization to change the access lock for the requested securityhardware is not given, then the method 1600E aborts the access to thesecurity hardware. If the authorization to change the access lock forthe requested security hardware is not given, then the method 1600Emoves to block 1694 and changes the lock to allow access to therequested security hardware.

[0178] It is noted that any authorization method described herein may beused in decision block 1693. Any other authorization methods known inthe art that have equivalent or better security properties in thepresence of an observer may also be used.

[0179] Turning now to FIG. 16F, the method 1600F includes the processorloading code instructions into SMM space in the RAM memory, in block1605. For example, loading code instructions into SMM space may occur inresponse to an SMI#. The access locks to the security hardware areopened in block 1615. The opening of the access locks may be through theSMM code instructions or through a hardware mechanism, or both.

[0180] The processor processes the code instructions from SMM space inthe RAM memory, in block 1620. It is noted that the SMM timingcontroller 401, described above, may interrupt the processing of thecode instructions. The method 1600F includes accessing the securityhardware 370, in block 1630. As the computer system is in SMM and theaccess locks have been opened, in block 1615, the security hardware isavailable to most or all of the subsystems of the computer system 100(or 800), as desired.

[0181] The method 1600F includes closing the access locks to thesecurity hardware 370, in block 1650. The processor reloads the previousstate and continues operating, in block 1665. It is noted that theprocessing of the SMM code instructions, in block 1620, may continuewhile the actions described in block 1630 occurs. Preferably, theactions described in block 1650 occur after the processing of the SMMcode instructions, in block 1620, has ceased. The processing may havefinished or have been interrupted.

[0182] Turning now to FIG. 16G, the method 1600G includes the processorloading code instructions into SMM space in the RAM memory, in block1605. For example, the loading of code instructions into SMM space mayoccur in response to an SMI#. The method 1600G next checks if thesecurity hardware is available, in decision block 1607. If the securityhardware is not available, then in decision block 1607 the method 1600Gaborts the access to the security hardware. If the security hardware isavailable, then the method 1600G continues with block 1620.

[0183] The processor executes the code instructions from SMM space inthe RAM memory, in block 1620. It is noted that the SMM timingcontroller 401, described above, may interrupt the processing of thecode instructions. The method 1600F includes accessing the securityhardware 370, in block 1630. As the computer system is in SMM and theaccess locks are open, as determined in decision block 1607, thesecurity hardware is available to most or all of the subsystems of thecomputer system 100 (or 800), as desired.

[0184] The method 1600G includes closing the access locks to thesecurity hardware 370, in block 1650. The processor reloads the previousstate and continues operating, in block 1665. It is noted that theexecuting of the SMM code instructions, in block 1620, may continuewhile the actions described in block 1630 occurs. Preferably, theactions described in block 1650 occur after the processing of the SMMcode instructions, in block 1620, has ceased. The processing may havefinished or have been interrupted.

[0185] It is noted that other processes of locking and unlocking thesecurity hardware 370, other than the access locks, may be used. Themethods 1600A-1600G are intended to extend to those other processes.

[0186] For the purposes of this disclosure, the computer system isconsidered to have two operating modes, normal and SMM. There are bootphases that are not in SMM, but they are, by definition, as trusted asSMM, and therefore considered equivalent to SMM herein. The boot codeconfigures and arranges how SMM will work. SMM derives itstrustworthiness from the trustworthiness of the boot code. It iscontemplated that the standard boot sequence could be varied. Variationsinclude a transition to a setup environment where the user may have theopportunity to input parameters. The input parameters may, for example,modify the BIOS code. Most setup environments return to reset beforeloading the operating system and operating in normal mode. This is aform of maintenance mode that is an alternative to loading the operatingsystem and is not part of the normal mode. As contemplated, the accesslocks would not be set in this mode. It would be part of the bootprocess and as trusted as SMM, although security measures could be usedif remote accesses are possible inside the setup environment.

[0187]FIGS. 17A, 17B, and 17C illustrate block diagrams of embodiments460A, 460B, and 460C of the access locks 460 shown in FIG. 6. In FIG.17D, a block diagram of an embodiment of the OAR override register 455,from FIG. 6, is shown. In the embodiment 460A shown in FIG. 17A, the oneor more access locks 460 include a sequester bit register 1705. The bitstored in the sequester bit register 1705 may be set or cleared as aflag. In the embodiment 460B shown in FIG. 17B, the one or more accesslocks 460 include two or more sequester registers configured to storetwo or more sequestering bits to lock or unlock all of the deviceswithin the security hardware 370. The additional bits beyond thesequester bit stored in the sequester register 1705 allows for flag bitsfor locking and unlocking of privileges separately. For example, a writeprivilege could be locked, while a read privilege could be unlocked. Inthe embodiment of FIG. 17C, the one or more access locks 460 include oneor more sequester registers 1715A-1715N for each device within thesecurity hardware 370C.

[0188] In FIG. 17D, the OAR override 445 includes an OAR-lock overrideregister 1750 that stores at least one OAR-lock override bit, and achange OAR-lock override register 1755 that stores at least one changeOAR-lock override bit. According to one embodiment of the presentinvention, if the OAR-lock override bit is not set, then access to thesecurity hardware 370 is determined by the settings of the access locks460. If the OAR-lock override bit is set, then the access locks 460 areignored in favor of the security hardware 370 being either alwaysavailable or never available, based on the implementation. Preferably,the security hardware is never available when the OAR-lock override bitis set. The setting of the OAR-lock override bit may be changed in SMM(or with authorization) unless the change OAR-lock override bit is set.Preferably, the change OAR-lock override bit is OAR, similar to oneembodiment of the access locks 460, and may be set, in variousembodiments, with the access locks 460 at boot time, such as in block1650.

[0189]FIG. 18A illustrates a prior art flowchart of an SMM program1800A. The prior art SMM program 1800A starts at 1805, includes one ormore instructions for execution in SMM, in block 1810A, and ends at 1895without interruption. In other words, prior art SMM program 1800A isuninterruptible and has no other entry points than the start at 1805.There are also no reasonable exit points, barring processor failure,other than the stop at 1895.

[0190]FIG. 18B illustrate a flowchart of an embodiment of operations ofan interruptible and re-enterable SMM program 1800B, according to oneaspect of the present invention. In contrast to the prior art SMMprogram 1800A, the interruptible and re-enterable SMM program 1800Bincludes a start at 1805, one or more instructions for execution in SMM,in block 1810B, an entry/exit point 1815, one or more instructions forexecution in SMM, in block 1820, and the stop at 1895.

[0191] Also in contrast to the prior art SMM program 1800A, FIG. 18Cillustrates an embodiment of operation of a computer system running theinterruptible and re-enterable SMM program 1800B, according to oneaspect of the present invention. The operations 1800C of the computersystem includes a start 1805. The operations also include receiving arequest to enter SMM, at 1810 and saving the system state at 1815. Themethod checks, at 1820, for a saved SMM state, as could be found fromexiting the SMM program 1800B at 1875. If no saved SMM state is found at1820, then load the requested default SMM state at 1825. If a saved SMMstate is found at 1820, then load the saved SMM state, at 1830.

[0192] The method 1800C executes the loaded SMM state, at 1835, eitherthe default state from 1825 or the saved state at 1830. If the SMMprocessing is finished, at 1840, then the method moves to 1855 and exitsSMM. If the SMM processing is not finished, then the method continuesexecution of the SMM state, if no exit request is received at 1845. Ifthe exit request is received at 1845, then the method saves the currentSMM state at 1850 and exits SMM at 1855. The saved system state isreloaded at 1860, and the method ends at the stop 1895.

[0193] While only one entry/exit point 1815 is shown in the embodimentof FIG. 18B, other embodiments may include two or more entry/exit points1815 in an SMM program 1800B or the operations of the method 1800C shownin FIG. 18C. In these embodiments, each entry/exit point 1815 would haveone or more instructions for execution in SMM, similar to blocks 1810Band 1820, both before and after the entry/exit point 1815.

[0194] For example, in one embodiment, block 1810B includes oneinstruction for execution in SMM, followed by an entry/exit point 1815A.Entry/exit point 1815A is followed by another single instruction forexecution in SMM, in block 1820A. Block 1820A is followed by anotherentry/exit point 1815B. Entry/exit point 1815B is followed by anothersingle instruction for execution in SMM, in block 1820B. Block 1820B isfollowed by the stop 1895. While a single instruction in blocks 1810B,1820A, and 1820B may be small, the concept of regularly spacedEntry/exit points 1815 is illustrated. In other embodiments, two, threeor more instructions for execution in SMM may be substituted for thesingle instructions. In still other embodiments, there may be a variablenumber of instructions for execution in SMM in blocks 1810B, and 1820.The number of instructions may depend on the execution times for eachset of instructions, so that SMM may be interruptible every so oftenduring execution.

[0195] It is noted that forced exits from SMM, as are taught herein inone aspect of the present invention, for example, with respect to FIG.10A, and re-entry into SNM, as is also taught herein in another aspectof the present invention, for example, with respect to FIG. 10B, are buttwo examples of how interruptible, re-enterable SMM code could beimplemented or used. Those of skill in the art of computer programmingwith full appreciation of this disclosure will appreciate that manyprogramming techniques used with non-SMM code that used interruptible,re-enterable code flow will now be available in SMM code.

[0196]FIGS. 19A, 19B, and 19C illustrate block diagrams of embodiments3000A, 3000B, and 3000C of computer systems with the BIOS ROM 355accessible to the processor 805 at boot time and to the south bridge 330at other times. Common to all three figures are a processor 805, a southbridge 330, control logic 3010, a boot switch 3005, a crypto-processor305, and BIOS ROM 355. The processor 805 is coupled to the south bridge330 in a usual fashion at times other than at boot time. At boot time,the control logic 3010 is operable to change the boot switch 3005 suchthat the processor 805 has access to the BIOS 355 without going throughthe south bridge 330 in the usual fashion.

[0197] In FIG. 19A, embodiment 3000A shows the processor 805 coupled toone part (A) of the boot switch 3005. Part A of the boot switch 3005 isopen, as would occur after booting. The control logic 3010 is coupled tothe boot switch 3005 to control the operations of the boot switch 3005.The south bridge 330 is coupled to Part B of the boot switch 3005. PartB of the boot switch 3005 is closed, again as would occur after booting.The south bridge 330 is shown coupled to the bus to which the BIOS iscoupled, shown as being through the crypto-processor 305. Other hardware3015A and 3015B are also shown coupled to the bus, which may be an LPCbus 118, or another bus.

[0198] In FIG. 19B, embodiment 3000B shows the processor 805 coupled toone part (A) of the boot switch 3005 through an instance of LPC businterface logic (BIL) 134D. Part A of the boot switch 3005 is closed, aswould occur during booting. The processor 805 is coupled to a northbridge 810 through a local bus 808. The north bridge 810 includes thecontrol logic 3010, coupled to the boot switch 3005 to control theoperations of the boot switch 3005. The north bridge 808 is furthercoupled to the south bridge 330 through a PCI bus 110. The south bridge330 is coupled to Part B of the boot switch 3005 through anotherinstance of LPC BIL 134D. Part B of the boot switch 3005 is open, againas would occur during booting. The south bridge 330 is shown coupled toan LPC bus to which the BIOS 355 is coupled, shown as being through thecrypto-processor 305. Other hardware 3015A and 3015B are not shown inthis embodiment, but may be present. The connection between Part A ofthe boot switch 3005 and Part B of the boot switch 3005 is shown as anLPC bus segment 3018.

[0199] As illustrated, during the booting process, the processor 805 isoperable to use an LPC bus protocol to access the BIOS 355 directly,without going through the north bridge 810 or the south bridge 330. Byproviding a more direct connection between the processor 805 and theBIOS ROM 355, the computer system 3000B may advantageously boot orreboot faster than using more usual methods of accessing the BIOS ROM355. After booting, accesses to the BIOS ROM 355 are through the southbridge 330 using the LPC bus 118.

[0200] In FIG. 19C, embodiment 3000C shows the processor 805 coupled toone part (A) of the boot switch 3005 through the local bus 808. Part Aof the boot switch 3005 is closed, as would occur during booting. Theprocessor 805 is also coupled to the north bridge 810 through the localbus 808. The processor 805 includes the control logic 3010, coupled tothe boot switch 3005 to control the operations of the boot switch 3005.The north bridge 808 is further coupled to the south bridge 330 througha PCI bus 1110. The south bridge 330 is coupled to the LPC bus 118 aninstance of LPC BIL 134D. Part B of the boot switch 3005 is coupled tothe LPC bus 118. Part B of the boot switch 3005 is open, again as wouldoccur during booting. The BIOS ROM 355 is coupled through thecrypto-processor 305 to the local bus 808 when Part A of the boot switch3005 is closed and to the LPC bus 118 when Part B of the boot switch3005 is closed. The crypto-processor 305 may include bus interface logicfor the local bus 808 and the LPC bus 118, or the crypto-processor 305may be configured to translate the bus protocols as necessary to passbus cycles to the BIOS ROM 355. Other hardware 3015A and 3015B are notshown in this embodiment, but may be present.

[0201] As illustrated, during the booting process, the processor 805 isoperable to use the local bus protocol to access the BIOS 355 directly,without going through the north bridge 810 or the south bridge 330. Byproviding a more direct connection between the processor 805 and theBIOS ROM 355, the computer system 3000C may advantageously boot orreboot faster than using more usual methods of accessing the BIOS ROM355. After booting, accesses to the BIOS ROM 355 are through the southbridge 330 using the LPC bus 118.

[0202] It is noted that the control logic 3010 may be signaled to orconfigured to operate the boot switch 3005 at times other than bootingto allow for faster access to the BIOS ROM 355, the crypto-processor 305(when present), or, for example, other hardware 3015 on the LPC bus.

[0203] In various embodiments of the present invention, the security ofSMM is assumed. It is noted that one or more so-called “backdoors” mayexist that could be exploited to compromise the security of SMM. Theissues contemplated include misuse of the hardware debug test (HDT) modeof the processor 805 as well as the ability of the processor 805 to loadand replace microcode. Illustrated in FIGS. 20A-D are variousembodiments 805A, 805B, 805 C, 805D of the processor 805, each of whichincludes various security protections against one or more backdoorattacks.

[0204] In FIG. 20A, the processor 805A includes HDT control logic 3110A,HDT reset logic 3120A, and one or more registers, including an HDTenable register 3115 and non-volatile random access memory (NVRAM) 3130.As shown, the HDT control logic 3110A is coupled to receive a pluralityof input signals through a plurality of HDT pins 3105. The HDT controllogic 3110A is further coupled to the HDT enable register 3115. The HDTreset logic 3120A is coupled to receive a RESET signal over a line 3125and to access (i.e. read and write) the HDT enable register 3115 and theNVRAM 3130.

[0205] In FIG. 20B, the processor 805B of FIG. 20B includes HDT controllogic 3110B, HDT reset logic 3120B, and two registers, including the HDTenable register 3115 and an HDT enable lock register 3135. As shown, theHDT control logic 3110B is coupled to receive a plurality of inputsignals through the plurality of HDT pins 3105. The HDT control logic3110B is further coupled to the HDT enable register 3115 and the HDTenable lock register 3135. The HDT reset logic 3120B is coupled toreceive the RESET signal over the line 3125 and a signal, such as over aline 3140, through a pull-up (or pull-down) resistor 3145.

[0206] In FIG. 20C, the processor 805C includes microcode control logic3155, microcode loader enable reset logic 3165, and one or moreregisters, including a microcode loader enable register 3160. As shown,the microcode control logic 3155 is coupled to receive a plurality ofinput signals through a plurality of microcode input pins 3150. Themicrocode control logic 3155 is further coupled to the microcode loaderenable register 3160. The microcode loader enable reset logic 3165 iscoupled to receive the RESET signal and to access the microcode loaderenable register 3160.

[0207] In FIG. 20D, the processor 805D includes HDT control logic 3110integrated with the microcode control logic 3155, the HDT reset logic3120, and the MLE reset logic 3165 to form control/reset logic 3175. TheHDT enable register 3115 and the microcode loader enable register 3160are integrated into a multibit lock register 3180. A plurality of inputs3170 are shown to the control/reset logic 3175. The plurality of inputs3170 may include the HDT inputs 3105, the microcode inputs 3150, and/orthe reset signaling means. Other embodiments (not shown) integrate onlythe HDT control logic 3110 and the microcode control logic 3155, or justthe HDT reset logic 3120 and the MLE reset logic 3165.

[0208] According to various embodiments of the present invention, theregisters 3115, 3135, and 3160, as well as the NVRAM 3130 includestorage space for one or more bits. In one embodiment, each register isconfigured to store a single bit. It is noted that the enable registers3115 and 3160 may also be integrated into a single lock register, andthe HDT enable lock register 3135 may be used as a microcode enable lockregister. It is contemplated that the registers 3115, 3135, 3160, and/or3180 could be included in the SMM MSRs 807.

[0209] In various embodiments, the HDT enable register 3115 isconfigured to store one or more HDT enable bits signifying whether HDTmode is enabled or disabled. The HDT reset logic 3120 is configured toset the one or more HDT enable bits to a default state upon a reset 20of the processor 805.

[0210] Multiple embodiments for controlling the HDT modes arecontemplated, such as those illustrated in FIGS. 20A and 20B. In oneembodiment, the HDT mode is enabled as the default on non-productionprocessors 805 used for engineering and testing. The HDT mode may bedisabled as the default in standard production processors 805. Inanother embodiment, illustrated in FIG. 20A, the default state may bestored in and read from the NVRAM 3130. In this embodiment, the defaultstate may be changeable, but in the illustrated embodiment, the defaultstate is set to disabled. In still another embodiment, illustrated inFIG. 20B, the default state is set using a strapping option. The defaultvalue is provided to the HDT reset logic 3120B through the pull-up (orpull-down) resistor 3145.

[0211] Multiple embodiments for controlling the microcode loader modesare also contemplated, such as those illustrated in FIGS. 20C and 20D.In one embodiment, not illustrated, the microcode update mode is enabledas the default on non-production processors 805 used for engineering andtesting. The microcode update mode may be disabled as the default instandard production processors 805. In another embodiment, similar tothat illustrated in FIG. 20A, the default state may be stored in andread from the NVRAM 3130. In this embodiment, the default state may bechangeable, but in the illustrated embodiment the default state is setto disabled. In still another embodiment, illustrated in FIG. 20B, thedefault state is using a strapping option. The default value is providedto the MLE reset logic 3165 through the pull-up (or pull-down) resistor3145.

[0212] Turning now to FIG. 21, a method 3200 for initiating the HDT modeis shown. In response to receiving a request to enter the HDT mode (step3205), the HDT control logic 3110 checks the status of the one or moreHDT enable bits to see if the HDT mode is enabled or disabled (step3210). If the HDT mode is enabled (step 3215), then the HDT controllogic 3110 initiates the HDT mode (step 3220). If the HDT mode isdisabled (step 3215), then the HDT control logic 3110 will not initiatethe HDT mode.

[0213] Turning now to FIG. 22, a method 3300 for changing the HDT modeenable status, which includes an HDT mode lock, is shown. In response toreceiving a request to enter the HDT mode (step 3305), the HDT controllogic 3110 checks the status of the one or more HDT enable lock bits todetermine if the HDT lock mode is locked or unlocked (step 3310). If theHDT lock mode is unlocked (step 3315), then the HDT control logic 3110initiates HDT mode (step 3335). If the HDT lock mode is locked (step3315), then the HDT control logic 3110 requests authorization to changethe HDT lock mode status (step 3320). If the change is authorized (step3325), then the HDT control logic 3110 changes the HDT mode lock bit tounlocked (step 3330). If the change is not authorized (step 3325), thenthe HDT control logic 3110 does not change the HDT mode lock bit.

[0214] In various embodiments, the HDT enable status may be changed bysetting or resetting the one or more HDT enable status bits. Forexample, the HDT mode may be disabled, but inside SMM, a predeterminedinput to the HDT control logic 3110 may signal the HDT control logic3110 to change the HDT mode status to enabled. In the embodiment of FIG.20A, for example, once signaled, the HDT control logic 3110 would changethe status of the HDT enable bit from disabled to enabled.

[0215] Referring back to the embodiment of FIG. 20B, for example, inresponse to receiving a request to change the HDT mode status, the HDTcontrol logic 3110 checks the status of the one or more HDT enable lockbits to see if the HDT lock mode is enabled or disabled. If the HDT lockmode is disabled, then the HDT control logic 3110 may change the HDTmode status. If the HDT lock mode is enabled, then the HDT control logic3110 will not change the HDT mode status.

[0216] It is noted that the method 3300 may alternatively terminate ifthe microcode update lock status is locked (step 3315), instead ofrequesting authorization to change the microcode update lock status(step 3320). The method 3300 may also include receiving a request tochange the microcode update lock status (not shown) prior to the method3300 requesting authorization (step 3320).

[0217] Turning now to FIG. 23, a method 3400 for initiating themicrocode loader is shown. In response to receiving a request toinitiate the microcode update mode (step 3405), the microcode controllogic 3155 checks the status of the one or more microcode enable bits tosee if microcode update mode is enabled or disabled (step 3410). If themicrocode update mode is enabled (step 3215), then the microcode controllogic 3110 initiates the microcode update mode (step 3220). If themicrocode update mode is disabled (step 3215), then the microcodecontrol logic 3110 will not initiate the microcode update mode.

[0218] Turning now to FIG. 24, a method 3500 for changing the microcodeupdate mode enable status, which includes a microcode mode lock, isshown. In response to receiving a request to enter the microcode mode(step 3505), the microcode control logic 3110 checks the status of theone or more microcode enable lock bits to see if the microcode mode islocked or unlocked (step 3510). If the microcode lock mode is unlocked(step 3515), then the microcode control logic 3110 initiates themicrocode mode (step 3535). If the microcode lock mode is locked (step3515), then the microcode control logic 3110 requests authorization tochange the microcode mode lock status (step 3520). If the change isauthorized (step 3525), then the microcode control logic 3110 changesthe microcode mode lock bit to unlocked (step 3530). If the change isnot authorized (step 3525), then the microcode control logic 3110 doesnot change the microcode mode lock bit.

[0219] In various embodiments, the microcode enable status may bechanged by setting or resetting the one or more microcode enable statusbits. For example, the microcode mode may be disabled, but inside SMM, apredetermined input to the microcode control logic 3110 may signal themicrocode control logic 3110 to change the microcode mode status toenabled. In the embodiment of FIG. 20C, for example, once signaled, themicrocode control logic 3110 will change the status of the one or moremicrocode enable bits from disabled to enabled.

[0220] In response to receiving a request to change the microcode modestatus, the microcode control logic 3110 may check the status of the oneor more microcode enable lock bits to determine if the microcode lockmode is enabled or disabled. If the microcode lock mode is disabled,then the microcode control logic 3110 may change the microcode modestatus. If the microcode lock mode is enabled, then the microcodecontrol logic 3110 will not change the microcode mode status.

[0221] It is noted that the method 3500 may alternatively terminate ifthe microcode update lock status is locked (step 3515), instead ofrequesting authorization to change the microcode update lock status(step 3520). The method 3500 may also include receiving a request tochange the microcode update lock status (not shown) prior to the method3500 requesting authorization (step 3520).

[0222]FIGS. 25A, 25B, 26, and 27 illustrate flowcharts of embodiments ofmethods 3600A, 3600B, 3610A, and 3620 for secure access to storage,according to various aspects of the present invention. FIG. 25A shows aflowchart of the method 3600A where a security device maintains secureaccess to a storage device, according to one aspect of the presentinvention. FIG. 25B shows a flowchart of the method 3600B where a cryptoprocessor maintains secure access to a memory, according to one aspectof the present invention. FIG. 26 shows a flowchart of the method 3610Awhere a security device provides secure access control to a storagedevice using a challenge-response authentication protocol, according toone aspect of the present invention. FIG. 27 shows a flowchart of themethod 3620 where a secret is used to unlock data access to a securestorage device.

[0223] Turning to FIG. 25A, the method 3600A includes the securitydevice receiving a transaction request for a storage location associatedwith the storage device connected to the security device (block 3605A).The security device provides access control for the storage device(block 3610A). One embodiment of the access control shown in block 3610Ais illustrated by the method 3600B shown in FIG. 26.

[0224] According to the method 3600A, the security device maps thestorage location in the transaction request according to the addressmapping of the storage device (block 3615A). The security deviceprovides the transaction request to the storage device (block 3620A).Under normal circumstances, the storage device will perform therequested transaction (block 3625A).

[0225] In various embodiments, the security device associated with themethod 3600A may include a crypto processor or a block of logicconfigured to provide security for the storage device. The storagedevice may include an electronic storage medium like a memory or amagnetic or optical storage medium like a hard drive or an opticaldrive. The memory may include a RAM, a ROM, or a flash memory. The harddrive or optical drive may be fixed or removable. The transactionrequest may include, for example, a read request, a write request, or acombination of read and write requests.

[0226] It is noted that in various embodiments, the memory (or thestorage device) may include further security hardware of its own. Thefurther security hardware may include access logic, a random numbergenerator, and a secret, such as is illustrated above in FIG. 7C or 7D.

[0227] Turning to FIG. 25B, the method 3600B includes thecrypto-processor receiving a transaction request for a memory locationassociated with the memory connected to the crypto-processor (block3605B). The crypto-processor provides access control for the memory(block 3610B). One embodiment of the access control shown in block 3610Bis illustrated in FIG. 26.

[0228] According to the method 3600B, the crypto-processor maps thememory location in the transaction request according to the addressmapping of the memory (block 3615B). The crypto-processor provides thetransaction request to the memory (block 3620B). Under normalcircumstances, the memory will perform the requested transaction (block3625B).

[0229] Turning to FIG. 26, the method 3610A includes the security devicedetermining if a lock is in place for the storage location (block 3705).A transaction request may have been received for the storage location.If the lock is not in place (block 3710), then the method 3610A movespast the authentication portion. If the lock is in place (block 3710),then the security device provides a challenge for the storage location(block 3715). The challenge may be associated with the storage locationor with the storage device that includes the storage location. Thechallenge may be in response to the transaction request. Next, thesecurity device receives a response to the challenge (block 3720). Thesecurity device evaluates the response by comparing the response to anexpected response (block 3725). If the evaluation is not correct (block3730), then the method ends. If the evaluation is correct (block 3730),then the method proceeds with the security device providing thetransaction request to the storage device (block 3735).

[0230] In various embodiments, the security device associated with themethod 3610A may include a crypto processor or a block of logicconfigured to provide security for the storage device. The storagedevice may include an electronic storage medium like a memory or amagnetic or optical storage medium like a hard drive or an opticaldrive. The memory may include a RAM, a ROM, or a flash memory. The harddrive or optical drive may be fixed or removable. The transactionrequest may include, for example, a read request, a write request, or acombination of read and write requests.

[0231] Turning to FIG. 27, the method 3620 includes storing a secret ina storage device (block 3805). The storage device may include only aportion of a physical device. The storage device itself may be embodiedas any storage device known in the art. The method 3620 may also includestoring data in the storage device (block 3810) and storing code in thestorage device (block 3815). The method 3620 may also include providinga lock (e.g a lock bit or bits) to secure data stored in the storagedevice or the storage device itself (block 3815). Note that the abovesteps of method 3620 (blocks 3805-3820) may be performed relativelyproximate in time, such as when the storage device is manufactured,installed, or initialized.

[0232] The method 3620 also includes reading the secret from the storagedevice (block 3825), such as, for example, when the computer systemincluding the storage device or coupled to communicate with the storagedevice is booted. For the secret to remain secure, the reading of thesecret preferably occurs when the storage device is in a secure ortrusted configuration. The method 3620 may also read the code from thestorage device (block 3830). The method 3620 stores the secret in asecure location (block 3825) and also may store the code in the securelocation (block 3830). The secure location may be in the SMM memoryspace previously described, or in a secure memory, register, or otherstorage location in the computer system 100, such as in the processor805 or in the south bridge 330.

[0233] In various embodiments, the storage device associated with themethod 3620 may include an electronic storage medium like a memory or amagnetic or optical storage medium like a hard drive or an opticaldrive. The memory may include a RAM, a ROM, or a flash memory. The harddrive or optical drive may be fixed or removable. A read in method 3620may describe any transaction request, such as, for example, a readrequest, a write request, or a combination of read and write requests.

[0234]FIG. 28 illustrates a prior art challenge-response method 3900 forauthentication. The method has a requestor making an access request, inblock 3905. In block 3910, a gatekeeper receives the access request andprovides a challenge to the requester to authenticate the requestor'sauthority to make the access request. In block 3915, the requesterreceives the challenge and provides a response to the challenge toauthenticate the requestor's authority to make the access request. Inblock 3920, the gatekeeper receives the response to the challenge andcompares the response to an expected response.

[0235] In decision block 3925, the gatekeeper determines if the responseis equal to the expected response. If the response is not equal to theexpected response, in decision block 3925, then the method ends,preventing the requestor from completing the access request. If theresponse is equal to the expected response, in decision block 3925, thenthe method continues with block 3930. In block 3930, the gatekeeperapproves the access request. Typically, a sha1 hash, well known in theart, of the secret and a number known to both the gatekeeper and therequester is used to demonstrate knowledge of the secret.

[0236] Turning to FIGS. 29A, 29B, 29C, 29D, and 29E, an embodiment ofcomputer subsystem 4000A, including a south bridge 330D and I/O devices,an embodiment of a processor 805E, an embodiment of a processor 805F, anembodiment of a computer subsystem 4000B, including a processor 805 andother system devices, and an embodiment of a computer system 4000C,including an embodiment of a processor 805 and various devices areshown, including Globally Unique IDentifiers (GUIDs) 4099 and/or astored secret 4095 and/or a system GUID 4085.

[0237] In FIG. 29A, the south bridge 330D includes an embodiment of thesecurity hardware 370 coupled to the LPC BIL 134D and the USB interfacelogic 134C. The embodiment of the security hardware 370 includes therandom number generator (RNG) 455, a storage location storing a secret4095, and storage locations for storing a GUID table 4098. The GUIDtable 4098 may include a GUID for the south bridge 330D itself. Thesouth bridge 330D is coupled through the USB interface logic 134C to aUSB hub 4015 including a GUID 4099B. Coupled to the USB hub 4015 are abiometric device 4020 and a smart card reader 4025. The biometric device4020 includes the secret 4095 and a storage location for storing a GUID4099A. The smart card reader 4025 includes the secret 4095 and a storagelocation for storing a GUID 4099D. Coupled through the LPC bus 118 tothe LPC BIL 134D are the Super I/O chip 120 and a keyboard 4019,including a GUID 4099C.

[0238] In FIG. 29B, the processor 805E includes a GUID 4099E. In FIG.29C, the processor 805F includes the GUID table 4098, either in place ofor in addition to the GUID table 4098 shown in the south bridge 330D,shown in FIG. 29A. The GUID table 4098 of the processor 805F may includea GUID for the processor 805F itself.

[0239] In FIG. 29D, the computer subsystem 4000B includes the processor805, which may represent any of the embodiments of the processor 805,such as the processor 805E shown in FIG. 29B or the processor 805F shownin FIG. 29C, coupled to a north bridge 810 including a GUID 4099Fthrough the local bus 808. The north bridge 810 is shown coupled to anAGP device 4008 including a secret 4095 (could also include a GUID4099G) and a memory 4006 including a plurality of memory modules, shownas DIMMs (Dual In-line Memory Modules) 4060A-4060C. Each of the DIMMs4060A-4060C includes a GUID 4099H-4099K, respectively. In alternativeembodiments, the GUIDs 4099 may be replaced by a storage location tostore the secret 4095 (such as shown the AGP 4008 and as in FIG. 29A) oraugmented by the storage location to store the secret 4095 and the GUID4099. Note that the computer system 4000A and 4000B may connect betweenthe north bridge 810 and the south bridge 330D.

[0240] According to one embodiment of the present invention, at boottime or during some other trusted set-up, the south bridge 330D and/orthe processor 805F or other master device transmits the secret 4095 toeach of the devices coupled to the master device capable of storing thesecret 4095. Thus, in the illustrated embodiment of FIG. 29A, the USBhub 4015, the biometric device 4020, and the smart card reader 4025would each store the secret 4095. In other words, during the trustedset-up, the device or devices become known to the master device throughan authentication routine, and the master device communicates the secret4095 to those devices that authenticate properly as a trusted componentof the computer subsystem 4000 or some part of the computer system.During data requests or transfers, the master device transmits a randomnumber (or at least a nonce, a number that is used only once) to thedevice along with the data request. The device may encrypt the datausing the random number (or the nonce) and the secret beforetransmitting the data to the master device. Whether or not the data isencrypted, the device returns the random number (or the nonce) with thedata as an authenticator of the data.

[0241] As an example of this embodiment, consider the biometric device4020 of FIG. 29A as a fingerprint scanner 4020. Placing a finger on thefingerprint scanner 4020 may cause the fingerprint scanner 4020 to sendan interrupt to the system. The fingerprint scanner 4020 scans thefingerprint of the finger on the fingerprint scanner 4020 to createfingerprint data. The system notifies the south bridge 330D, which sendsthe nonce to the fingerprint scanner 4020. The fingerprint scanner 4020receives the nonce and returns the fingerprint data and the nonce to thesouth bridge 330D in response to receiving the nonce. The fingerprintscanner 4020 may also encrypt the fingerprint data using the nonce inlieu of sending the fingerprint data in the clear (i.e. not encrypted).

[0242] According to another embodiment of the present invention, at boottime or during some other trusted set-up, the south bridge 330D and/orthe processor 805F or other master device reads the GUIDs from eachdevice coupled to the south bridge 330D (i.e. the master device) capableof storing or actually storing a GUID 4099. Thus, in the illustratedembodiment of FIG. 29A, the USB hub 4015, the biometric device 4020, thesmart card reader 4025, and the keyboard 4019 each have GUIDs 4099B,4099A, 4099D, and 4099C, respectively. The south bridge 330D stores theGUIDs for each device in the GUID table 4098. In other words, during thetrusted set-up, the device or devices become known to the south bridge330D through an authentication routine, and the devices communicatetheir respective GUIDs 4099 to the south bridge 330D that authenticatesthem as a trusted component of the computer subsystem 4000 or some partof the computer system.

[0243] During data requests or transfers, the south bridge 330D or othermaster device (e.g the processor 805E or 805F) transmits a random number(or at least a nonce) to the device along with the data request. Thedevice may encrypt the data using the random number (or the nonce) andthe GUID before transmitting the data to the south bridge 330D. Whetheror not the data is encrypted, the device returns the random number (orthe nonce) with the data as an authenticator of the data.

[0244] As an example of this embodiment, consider a request from thesystem (e.g the master device) to the keyboard 4019 for data. The systemmay request the keyboard 4019 to submit the GUID 4099C with the data.The GUID 4099C in this case may be combined with the data using a hashfunction (i.e. a one way function well known in the art). The data aretransmitted from the keyboard 4019 to the system along with the GUID4099C. The master device, such as the security hardware 370(alternatively the crypto-processor 305, such as shown in FIG. 4)authenticates the data.

[0245] In another embodiment of the present invention, one or moredevices (such as 4035 shown in FIG. 29E) include both the GUID 4099 andthe storage location for the secret 4095. In this embodiment, the systemmaster, e.g. the south bridge 330D, and the devices 4120 use the GUID4099, the secret 4095, or both to authenticate data transmissions.

[0246] It is noted that other I/O buses besides the USB 116 and the LPCbus 118 may be used in various embodiments of the present invention. Forexample, a hard drive (not shown) including a GUID 4099 and/or storagelocations for the secret 4095 may be coupled to the IDE interface 114(shown in FIG. 1A). In another example, the biometric device 4020 maycouple to the computer subsystem 4000 through the PCI bus 110 or aserial port or a parallel port, such as through the Super I/O chip 120.Other I/O buses and connections are contemplated.

[0247] As currently implemented by some manufacturers, using 128 bitsfor the GUID 4099, up to 10³⁶ possible values are available for any GUID4099. The sheer number of possible values allows for a device without aGUID 4099 to be assigned a random GUID 4099 with a very low possibilityof duplication. The use of the random number or the nonce may prevent areplay attack using a device, such as the biometric device 4020. Notethat devices without GUIDs 4099 established during manufacturing maycreate a random GUID 4099, either for each boot or reset or for eachdata transmission.

[0248] It is contemplated that, for example, a part of the memory, suchas a memory controller (e.g. see memory 4006 in FIG. 29D) could includea GUID table 4098 and be the master device for the memory modules, suchas DIMMs 4060A-4060C. The memory controller could register the GUIDs4099 for the DIMMs 4060. The memory controller could then give its ownGUID 4099 to another master device (e.g. north bridge 810 or processor805). In this way, transmissions between and among system devices couldbe registered as being from known devices. Other subsystem master devicearrangements are also contemplated, such as the north bridge 810 and thesouth bridge 330D as local masters, with the processor 805 being thesystem master. Additional master devices could include the USB hub 4015for the other USB devices and a drive controller for its attachedstorage drives (e.g hard drives or optical drives).

[0249] Turning now to FIG. 29E, an embodiment of the computer system4000C is illustrated with a further embodiment of system components thatare recognized by the computer system. As shown, an embodiment of theprocessor 805 is coupled to an embodiment of the north bridge 810. Amemory subsystem 4006 and an embodiment of a south bridge 330E are alsocoupled to the north bridge 810. A generic device 4035 and an embodimentof the crypto-processor 305 are coupled to the south bridge 330E. Thesouth bridge 330E includes security hardware 370, including a storagelocation for a system GUID 4085 and the GUID table 4098 described above.In the illustrated embodiment of the computer system 4000C, each of theprocessor 805, memory 4006, the north bridge 810, the device 4035, andthe crypto-processor 305 includes logic 4080, a storage location for thesystem GUID 4085, a storage location for an introduced bit 4090, and arespective GUID 4099, such as GUIDs 4099P, 4099F, 4099M, or 4099L. Notethat the logic 4080 of FIG. 29E may be implied in FIGS. 29A-29D.

[0250] In one embodiment, upon first being placed in the computer system4000C, a system master introduces each device 4035 to the computersystem 4000C. For the purposes of this aspect of the present invention,a “device” may be any component or subsystem or master device that maybe a part of the computer system 4000C. Examples include the processor805, the north bridge 810, the memory controller 4006 or memory modules(not shown), the south bridge 330, USB devices (shown elsewhere), otherI/O devices, and the crypto-processor 305. For the purposes of thisdiscussion, reference will be made to device 4035, but device 4035 isintended to be generic. In particular, the device 4035 may be removablefrom the computer system 4000C and normally usable in another computersystem (not shown) other than computer system 4000C, including datadrives and I/O devices. The system master shown in FIG. 29E is the southbridge 330E. The processor 805 may alternatively be the system master. Alogic circuit (not shown) on or a part of a motherboard (not shown) forthe computer system 4000C, or on a daughter card (not shown), may alsobe the system master.

[0251] As each device 4035, 805, 4006, 330E, 305, etc. is introduced tothe computer system 4000C, the system master provides the system GUID4085 to the device 4035. The device 4035 stores the system GUID 4085.The device 4035 provides the system master with its GUID 4099M and thesystem master stores the GUID 4085M of the device in the GUID table4098. Upon exchanging GUIDs, the device 4035 sets the introduced bit4090. While the introduced bit 4090 is set, the device 4035 is “married”to the computer system 4000C and will only exchange data with thecomputer system 4000C. The device 4035 and the computer system 4000C mayalso “divorce by mutual consent” by authenticating their respectiveGUIDs and having the device 4035 reset the introduced bit.

[0252] Each data transfer in the computer system 4000C may involve theexchange of the GUID 4099 and/or the system GUID 4085. A failure toauthenticate the system GUID 4085 results in the device 4035 notresponding with the requested data or simply not responding to the datarequest. Should the device 4035 request data from another device in thecomputer system 4000C without providing or authenticating its own GUID4099M, the computer system 4000C will not respond with the requesteddata or simply does not respond to the data request from the device4035.

[0253] To prevent complete loss of data or use of the device 4035 andthe computer system 4000C, a maintenance mode or “divorce court” may beavailable to force the introduced bit 4090 to be reset. For example, amanufacturer may place a master ID value in each of a batch ofcomponents to allow for a repair facility to reset the introduced bit4090.

[0254] In various embodiments, the logic 4080 may be configured toprovide requested data using a hash function on the GUID 4099M andeither a nonce, a random number, or the requested data. For example, theprocessor 805 may request data from the memory 4006. The processor 805may provide a random number and the result of a hash of the randomnumber and either the GUID 4099N for the memory 4006 or the system GUID4085. The memory 1406 compares the result of the hash from the processor805 with its own calculation of the hash value before responding to thedata request from the processor 805.

[0255] In another embodiment, the device 4035 (as well as other systemdevices) does not store the system GUID 4085. In this embodiment, thedevice 4035 only responds to a data transaction when its GUID 4099M isprovided with the data transaction. To initiate a data transaction, thedevice 4035 demonstrates its own GUID 4085 to the system master 330E,which authenticates the device 4035 as being introduced to the computersystem 4000C and thus trusted. Note that the secret 4095 may besubstituted for the system GUID 4085 and used in place of the respectiveGUIDs 4099. Note also that the device 4035 may be used in other computersystems other than computer system 4000C so long as the device 4035 hasnot been introduced to the computer system 4000C. After the device 4035has been introduced to the computer system 4000C and the introduced bit4090 has been set, the device is only usable in the computer system4000C until the introduced bit 4090 has been reset. Note that theintroduced bit 4090 is preferably stored in non-volatile memory.

[0256] Turning now to FIGS. 30A and 30B, flowcharts of embodiments ofmethods 4100A and 4100B for operating a computer system including abiometric device, such as the biometric device 4020 shown in FIG. 29A.In FIG. 30A, the method 4100A includes the biometric data being sent inthe clear along with the result of a hash program using a secret and anonce or random number. In FIG. 30B, the method 3100B includes thebiometric data being sent in encrypted form and an indication of thenonce or random number is sent as the result of the hash using thesecret and the nonce or random number. The nonce or random number may besent in the clear in all or only some of transmissions in the datatransaction. Note that the secret may be an individual secret, such as aGUID of a device, or a group secret, such as a system GUID, a sub-systemGUID, or both the individual secret and the group secret. The secret maybe programmed at manufacture, established at boot time, or a randomnumber picked during a trusted set-up, or a combination thereof.

[0257] In FIG. 30A, the method 4100A includes a biometric datatransaction being requested involving a biometric device, in step 4110.A nonce or random number is provided to the biometric device, in step4115. The biometric device responds to the biometric data transactionrequest with the requested biometric data and the result of the hashfunction using the secret and the nonce or random number, in step 4120A.The result of the hash function is compared to an expected value for thehash function, in step 4125A. If the result of the hash function is notthe same as the expected value, in the decision block 4130, then thetransmitted biometric data are rejected, in step 4135. If the result ofthe hash function is the same as the expected value, in the decisionblock 4130, then the transmitted biometric data are accepted as therequested biometric data, in step 4140.

[0258] In FIG. 30B, the method 4100B includes a biometric datatransaction being requested involving a biometric device, in step 4110.A nonce or random number is provided to the biometric device, in step4115. The biometric device responds to the biometric data transactionrequest with the requested biometric data in encrypted form and theresult of the hash using a secret and the nonce or random number, instep 4120B. The result of the hash is compared to an expected value forthe hash of the secret and the nonce or random number, in step 4125B. Ifthe result of the hash for is not the same as the expected value for theresult of the hash, in the decision block 4130, then the transmittedbiometric data are rejected, in step 4135. If the result of the hash isthe same as the expected value for the result of the hash, in thedecision block 4130, then the transmitted biometric data in encryptedform are accepted as the requested biometric data, in step 4140.

[0259] Another embodiment of the method 4100 includes providing a nonceor random number, receiving biometric data, transmitting the biometricdata and the nonce or random number or the random number, andauthenticating the biometric data using the nonce or random number. Instill another embodiment, the method 4100 may further include encryptingthe biometric data, receiving the encrypted biometric data and the nonceor random number, and decrypting the encrypted biometric data. Thisembodiment may only transmit the encrypted biometric data and the nonceor random number. In still another embodiment, the method 4100 mayinclude encrypting the biometric data using the nonce or random numberand decrypting the encrypted biometric data using the nonce or randomnumber.

[0260] The method 4100 may also include receiving a secret, storing thesecret, transmitting at least an indication of the secret with thebiometric data, receiving at least the indication of the secret, andauthenticating the biometric data using at least the indication of thesecret. In a further embodiment, the method 4100 may include encryptingthe biometric data using the secret, and decrypting the encryptedbiometric data using the secret. In still another embodiment, the method4100 may include encrypting the biometric data using the secret and thenonce or random number, and decrypting the encrypted biometric datausing the secret and the nonce or random number. In one embodiment, thesecret may include a system GUID. The method 4100 may also includeproviding a GUID, encrypting the biometric data using the GUID, thesecret, and the nonce or random number, and decrypting the encryptedbiometric data using the GUID, the secret, and the nonce or randomnumber.

[0261] It is noted that in various embodiments, receiving the biometricdata may occur in response to providing the nonce or random number. Inother embodiments, receiving the biometric data may occur only inresponse to providing the nonce or random number. Various steps ofvarious embodiments of the method may be performed by differententities, including, but not limited to, the biometric device, themaster device, and the system master.

[0262] Turning now to FIGS. 31A, 31B, 32A, 32B, 32C, and 33, flowchartsof embodiments of methods 4200A, 4200B, 4300A, 4300B, 4300C, and 4400for authenticating a device in a computer system, such as computersystems including computer subsystems 4000A, 4200B, and 4000C of FIGS.29A, 29D, and 29E, are illustrated. In the method of FIG. 31A, a secretis passed in encrypted form for authentication, but the data aretransmitted in the clear. In the method of FIG. 31B, the secret and dataare both passed in encrypted form. In the method of FIG. 32A, a deviceGUID is passed in encrypted form for authentication, but the data aretransmitted in the clear. In the method of FIG. 32B, the device GUID anddata are both passed in encrypted form. In the method of FIG. 32C, thesecret, the device GUID, and the data are passed in encrypted form. Inthe method of FIG. 33, the device and the computer system areauthenticated to each other as the device is united to the computersystem using the introduced bit 4090 shown in FIG. 29E.

[0263] In the method 4200A of FIG. 31A, a master device in the computersystem transmits a secret to a device in the computer system during atrusted set-up, in block 4205. As noted elsewhere, the trusted set-upmay occur, as examples, when the device is first introduced to thecomputer system or during a boot sequence of the computer system. A datatransaction is requested involving the device in the computer systemthat knows the secret, in block 4210. It is contemplated that one ormore or all of the devices in the computer system will follow the method4200A and know the secret. A nonce or random number is provided to thedevice in the computer system that knows the secret, in block 4215.

[0264] If the data transaction request is a read of data from thedevice, in block 4220A, the device responds to the data transactionrequest with the requested data and a result of a hash using the secretand the nonce or random number. If the data transaction request is awrite of data to or through the device, in block 4220A, the deviceresponds to the data transaction request with the result of the hashusing the secret and the nonce or random number. Thus, in block 4220A,the device responds to the data transaction request and verifies itsauthorization to complete the data transaction request.

[0265] The method 4200A continues with the result of the hash using thesecret and the nonce or random number being compared to an expectedvalue for the result of the hash using the secret and the nonce orrandom number, in block 4225. If the comparison results are not thesame, in decision block 4230, then the method continues by rejecting thetransmitted data from the read or by not sending the data for the write,in block 4235. If the comparison results are the same, in decision block4230, then the method continues by accepting the transmitted data fromthe read or by sending the data for the write, in block 4240A.

[0266] In the method 4200B of FIG. 311B, a master device in the computersystem transmits a secret to a device in the computer system during atrusted set-up, in block 4205. A data transaction is requested involvingthe device in the computer system that knows the secret, in block 4210.It is contemplated that one or more or all of the devices in thecomputer system will follow the method 4200B and know the secret. Anonce or random number is provided to the device in the computer systemthat knows the secret, in block 4215.

[0267] If the data transaction request is a read of data from thedevice, in block 4220B, the device responds to the data transactionrequest by encrypting the requested data using the secret and the nonceor random number and a result of a hash using the secret and the nonceor random number. If the data transaction request is a write of data toor through the device, in block 4220B, the device responds to the datatransaction request with the result of the hash using the secret and thenonce or random number. Thus, in block 4220B, the device responds to thedata transaction request and verifies its authorization to complete thedata transaction request.

[0268] The method 4200B continues with the result of the hash using thesecret and the nonce or random number being compared to an expectedvalue for the result of the hash using the secret and the nonce orrandom number, in block 4225. If the comparison results are not thesame, in decision block 4230, then the method continues by rejecting thetransmitted data from the read or by not sending the data for the write,in block 4235. If the comparison results are the same, in decision block4230, then the method continues by accepting the transmitted data fromthe read or by encrypting the data using the secret and the nonce orrandom number and sending the encrypted data for the write, in block4240B.

[0269] In the method 4300A of FIG. 32A, a master device in the computersystem reads the GUID for a device in the computer system during atrusted set-up, in block 4305. A data transaction is requested involvingthe device in the computer system with the known GUID, in block 4310. Itis contemplated that one or more or all of the devices in the computersystem will follow the method 4300A and have their GUIDs known to thecomputer system. A nonce or random number is provided to the device inthe computer system with the known GUID, in block 4315.

[0270] If the data transaction request is a read of data from thedevice, in block 4320A, the device responds to the data transactionrequest with the requested data and a result of a hash using the GUIDand the nonce or random number. If the data transaction request is awrite of data to or through the device, in block 4320A, the deviceresponds to the data transaction request with the result of the hashusing the GUID and the nonce or random number. Thus, in block 4320A, thedevice responds to the data transaction request and verifies itsidentity and authorization to complete the data transaction request.

[0271] The method 4300A continues with the result of the hash using theGUID and the nonce or random number being compared to an expected valuefor the result of the hash using the GUID and the nonce or randomnumber, in block 4325. If the comparison results are not the same, indecision block 4330, then the method continues by rejecting thetransmitted data from the read or by not sending the data for the write,in block 4335. If the comparison results are the same, in decision block4330, then the method continues by accepting the transmitted data fromthe read or by sending the data for the write, in block 4340A.

[0272] In the method 4300B of FIG. 32B, a master device in the computersystem reads the GUID for a device in the computer system during atrusted set-up, in block 4305. A data transaction is requested involvingthe device in the computer system with the known GUID, in block 4310. Itis contemplated that one, more than one, or all of the devices in thecomputer system will follow the method 4300B and have their GUIDs knownto the computer system. A nonce or random number is provided to thedevice in the computer system with the known GUID, in block 4315.

[0273] If the data transaction request is a read of data from thedevice, in block 4320B, the device responds to the data transactionrequest by encrypting the requested data using the GUID and the nonce orrandom number and a result of a hash using the GUID and the nonce orrandom number. If the data transaction request is a write of data to orthrough the device, in block 4320B, the device responds to the datatransaction request with the result of the hash using the GUID and thenonce or random number. Thus, in block 4320B, the device responds to thedata transaction request and verifies its identity and authorization tocomplete the data transaction request.

[0274] The method 4300B continues with the result of the hash using theGUID and the nonce or random number being compared to an expected valuefor the result of the hash using the GUID and the nonce or randomnumber, in block 4325. If the comparison results are not the same, indecision block 4330, then the method 4300B continues by rejecting thetransmitted data from the read or by not sending the data for the write,in block 4335. If the comparison results are the same, in decision block4330, then the method 4300B continues by accepting the transmitted datafrom the read or by encrypting the data using the GUID and the nonce orrandom number and sending the encrypted data for the write, in block4340B.

[0275] In the method 4300C of FIG. 32C, a master device in the computersystem reads the GUID for a device in the computer system and transmitsa secret to the device during a trusted set-up, in block 4306. A datatransaction is requested involving the device in the computer systemwith the known GUID that knows the secret, in block 4311. It iscontemplated that one or more or all of the devices in the computersystem will follow the method 4300C and have their GUIDs known to thecomputer system and know the secret. A nonce or random number isprovided to the device in the computer system with the known GUID thatknows the secret, in block 4316.

[0276] If the data transaction request is a read of data from thedevice, in block 4320C, the device responds to the data transactionrequest by encrypting the requested data using the secret, the GUID, andthe nonce or random number and a result of a hash using the secret, theGUID, and the nonce or random number. If the data transaction request isa write of data to or through the device, in block 4320C, the deviceresponds to the data transaction request with the result of the hashusing the secret, the GUID, and the nonce or random number. Thus, inblock 4320C, the device responds to the data transaction request andverifies its identity and authorization to complete the data transactionrequest.

[0277] The method 4300C continues with the result of the hash using thesecret, the GUID, and the nonce or random number being compared to anexpected value for the result of the hash using the secret, the GUID,and the nonce or random number, in block 4326. If the comparison resultsare not the same, in decision block 4330, then the method 4300Ccontinues by rejecting the transmitted data from the read or by notsending the data for the write, in block 4335. If the comparison resultsare the same, in decision block 4330, then the method 4300C continues byaccepting the transmitted data from the read or by encrypting the datausing the secret, the GUID, and the nonce or random number and sendingthe encrypted data for the write, in block 4340C.

[0278] In the method 4400 of FIG. 33, a master device in the computersystem reads the GUID for a device in the computer system and recordsthe GUID in a GUID table during a trusted set-up where the device joinsthe computer system, in block 4405. The device may receive a system GUIDfrom the master device and store the system GUID, in block 4410. Thedevice sets an introduced bit in response to joining the computersystem, in block 4415. The device is now considered to be “married” tothe computer system. It is contemplated that one, more than one, or allof the devices in the computer system will follow the method 4400 and be“married” to the computer system.

[0279] The device receives a transaction request from the computersystem, and the device checks if the introduced bit is set, in block4420. If the introduced bit is not set, in decision block 4425, then themethod 4400 continues by not fulfilling the transaction request or bynot responding to the transaction request, in block 4430. If theintroduced bit is set, in decision block 4425, then the method 4400 maycontinue with the device requesting authentication from the computersystem using the GUID before responding to the transaction request, inblock 4435.

[0280] If the device requests authorization, or if the computer systemauthenticates directly, a nonce or random number may be provided to thedevice. If the transaction request is a read of data from the device,the device may respond to the transaction request by encrypting therequested data using the GUID and the nonce or random number and aresult of a hash using the GUID and the nonce or random number. If thedata transaction request is a write of data to or through the device,the device may respond to the data transaction request with the resultof the hash using the GUID and the nonce or random number.

[0281] The method 4400 continues with the result of the authentication,in decision block 4440. If the authentication is not successful, indecision block 4440, then the method 4400 continues by not fulfillingthe transaction request, in block 4430. If the authentication issuccessful, in decision block 4440, or if authentication is not used forthe transaction request, then the method 4400 continues by fulfillingthe transaction request, in block 4445.

[0282] In alternative embodiments, the authentication may be performedby different methods. As an example, the master device may authenticateitself to the device by providing at least an indication of the systemGUID to the device. Additional authentication methods, known in the art,may also be used other than challenge-response.

[0283] Turning now to FIGS. 34 and 35, flowcharts of embodiments ofmethods 4500 and 4600 for removing the device from the computer systemonce the device has been united with (“married to”) the computer systemusing the introduced bit 4090 shown in FIG. 29E are illustrated. In themethod 4500 of FIG. 34, the removal of the device from the computersystem is by joint consent, a “no-fault divorce.” In the method 4600 ofFIG. 35, the removal of the device from the computer system is forced ina maintenance mode using a maintenance (backdoor) key, a “court-ordereddivorce.”

[0284] The method 4500 of FIG. 34 includes the device or the masterdevice initiating a request for the device to leave the computer system,in block 4505. The device and the master device authenticate themselvesto each other using the GUID and/or the system GUID, in response to therequest for the device to leave the computer system, in block 4510. Thedevice resets the introduced bit in response to the device and themaster device successfully authenticating each other, in block 4515.

[0285] The method 4500 of FIG. 34 may advantageously allow for easyremoval of a device married to the computer system while maintainingsystem security. Authentication between the device and the master devicemay include any combination of the device providing at least anindication of the GUID to the master device, the device providing atleast an indication of the system GUID to the master device, the masterdevice providing at least an indication of the GUID to the device, andthe master device providing at least an indication of the system GUID tothe device. Any appropriate mechanism may be used for providing at leastthe indication, including the challenge-response method or otherauthentication method known in the art.

[0286] The method 4600 of FIG. 35 includes the device receiving acommand for the device to leave the computer system, in block 4605. Thedevice also receives at least an indication of a maintenance key thatthe device can successfully authenticate, in block 4610. The deviceresets the introduced bit in response to the device receiving at leastthe indication of the maintenance key that the device can successfullyauthenticate, in block 4615.

[0287] The method 4600 of FIG. 35 may advantageously allow for easyremoval of a device married to the computer system when the computersystem is unresponsive or the device must be removed from the computersystem for repair, while maintaining system security. The maintenancekey may be programmed by the manufacturer of the device for each device,or for a class of devices. Authorized, trusted repair facilities arepreferably the only ones with access to the maintenance key. A purchaserof a large number of similar devices could request a single maintenancekey for all devices purchased.

[0288] Turning now to FIG. 36, a block diagram of an embodiment of acomputer subsystem 4700 including bus interface logics 134B, 134C, 134D,and 134E with master mode capabilities in an embodiment of the southbridge 330F, according to one aspect of the present invention, isillustrated. In the embodiment shown, the south bridge 330F is coupledthrough the LPC bus 118 to an embodiment of a crypto-processor 305,including master mode logic 4790. The crypto-processor 305 is coupled tosecure a protected storage 605. The bus interface logics 134B, 134C,134D, and 134E of the south bridge 330F include IDE interface logic134B, USB interface logic 134C, LPC bus interface logic 134D, and SMBusbus interface logic 134E. Each bus interface logic 134B, 134C, 134D, and134E include a master mode register 4799 including a master mode bit.Coupled to the USB interface logic 134C are the USB hub 315, thebiometric device 320, and the smart card reader 325.

[0289] Master mode operations of the computer subsystem 4700 mayadvantageously allow for secure input of data, such as biometric data orsmart card data, without the unencrypted data being accessible to theoperating system. Master mode creates a secure communications channelbetween the master mode logic 4790 and the data input device.

[0290] Although the illustrated embodiment of FIG. 36 shows the mastermode logic 4790 in the crypto-processor 305, it is contemplated that themaster mode logic 4790 may also be incorporated into other devices inthe computer system, such as in the security hardware 370 shown above.It is also contemplated that other devices, such as the USB hub 315,that pass-through data may also include the master mode register 4799.In various embodiments, secure data input devices; such as the biometricdevice 320, the smart card reader 325, or a keyboard, also include themaster mode register 4799.

[0291] Note that the storage location or locations for storing themaster mode bit may also include space for storing one or more addressesin an appropriate format for the bus interface logic. The one or moreaddresses may be used by the bus interface logics to provide data to andfrom only those addresses, only within the address range defined bythose addresses, or to exclude data from or to those addresses or theaddress range the addresses define. The crypto-processor or securityhardware may store the one or more addresses or the crypto-processor orsecurity hardware may indicate to the bus interface logic or logics tostore the addresses themselves.

[0292] Turning now to FIG. 37, a flowchart of an embodiment of a method4800 for operating in a master mode outside the operating system isillustrated. The master mode operation may advantageously allow for userauthentication, such as via a biometric device or a smart card reader,without the operating system or a program running under the operatingsystem from snooping on the authentication data stream.

[0293] The method 4800 shown in FIG. 37 includes transmitting a mastermode signal to one or more bus interface logics or other devices thatinclude a master mode register, in block 4805. The method 4800 alsoincludes setting a master mode bit in the master mode register of eachof the one or more bus interface logics or other devices that includethe master mode register to establish a secure transmission channelbetween the master mode logic and the data input device, in block 4810.The master mode logic and the data input device exchange data outsidethe operating system of the computer system through the bus interfacelogics or other devices that include the master mode register, in block4815.

[0294] The master mode logic flushes, or signals the bus interfacelogics or other devices that include the master mode register to flush,the buffers of the bus interface logics or other devices that includethe master mode register after concluding the data transmissions, inblock 4820. The master mode logic finally signals the bus interfacelogics or other devices that include the master mode register to resetthe master mode bits after flushing the buffers of the bus interfacelogics or other devices that include the master mode register so thatthe operating system can again access the bus interface logics or otherdevices that include the master mode register, in block 4825.

[0295] As used herein, operating outside the operating system means thatprograms running under the operating system are unable to access the businterface logics or other devices including a master mode register whenthe master mode bit is set. This may advantageously allow for a programrunning under the operating system to request the crypto-processor orother master device including the master mode logic to perform a securedata read. The master mode logic is configured to read secure data froman input device such as a biometric device, a smart card reader, asignature verification reader, or a keyboard. As described herein, thebiometric device may measure any one or more of any number ofphysiological and/or behavioral features, including but not limited tofingerprints, hand geometry, voice prints, retinal scans, facial scans,body odor, ear shape, DNA profile, keystroke dynamics, and veinchecking.

[0296] Turning now to FIGS. 38A and 38B, flowcharts of embodiments ofmethods 4900A and 4900B for booting a computer system includingauthentication via the master mode logic are shown. In FIG. 38A, thecrypto-processor is used to control the master mode logic, while in FIG.38B, the security hardware is used to control the master mode logic.

[0297] In FIG. 38A, the processor executes BIOS code instructions fromSMM space, in 4920. After optionally accessing the security hardware, in4930, the method 4900A requests authentication from thecrypto-processor, preferably using the master mode logic, in 4835A. Themethod 4900A places the bus interface logics in master mode, in 4938.The bus interface logics would typically be between the crypto-processorand the authentication device. The method 4900A receives theauthentication data while the bus interface logics are in master mode,in 4940. The method 4900A exits master mode and flushes the buffers ofthe bus interface logics, in 4942. The method 4900A next verifies theauthentication data, in 4944. Verifying the authentication data mayinclude the crypto-processor providing an indication of theauthentication data to a remote security device. If the authenticationdata are verified in 4948, then the method 4900A continues the bootprocess, in 4990 If the authentication data are not verified in 4948,then the method 4900A returns to 4935A and again requestsauthentication.

[0298] In FIG. 38B, the processor executes BIOS code instructions fromSMM space, in 4920. After optionally accessing the security hardware, in4930, and optionally entering a BIOS management mode, in 4932, themethod 4900B requests authentication from the security hardware, usingthe master mode logic, in 4935B. The method 4900B places the businterface logics in master mode, in 4938. The bus interface logics wouldtypically be between the security hardware, e.g the south bridge, andthe authentication device. The method 4900B receives the authenticationdata while the bus interface logics are in master mode, in 4940. Themethod 4900B exits master mode and flushes the buffers of the businterface logics, in 4942. The method 4900B next verifies theauthentication data, in 4944. Verifying the authentication data mayinclude the security hardware providing an indication of theauthentication data to a remote security device. If the authenticationdata are verified in 4948, then the method 4900B continues the bootprocess, in 4990. If the authentication data are not verified in 4948,then the method 4900B returns to 4935A and again requestsauthentication.

[0299] Note that the relative position of steps of the methods 4900A and4900B in the boot process (or sequence), such as shown in FIG. 1A wouldtypically be prior to step 152. The relative position of various stepsof the methods 4900A and 4900B in the boot process may also be betweensteps 1632 and 1650 of FIGS. 16A and 16B. Various BIOS code segments maybe necessary for correct response of various devices in the computersystem, such as the south bridge and authentication devices coupledthereto.

[0300] Turning now to FIGS. 39A, 39B, and 39C, block diagram ofembodiments of systems 5000A, 5000B, and 5000C for securing a device, acomputer subsystem, and/or a computer system using timers to enforceperiodic authentication. In FIG. 39A, the system 5000A includes each ofa computer system 5005, a computer subsystem 5020, and a device 5040 aswell as a network security authenticator 5070. In FIG. 39B, the system5000B includes a portable computer 5003 coupled to a server 5004 forauthentication. In FIG. 39C, the system 500C includes two computersystems 5003A and 5003B coupled to the server 5004 including the networksecurity authenticator 5070.

[0301] In FIG. 39A, the system 5000A, as shown, includes the computersystem 5005 coupled to the network security authenticator 5070 through anetwork 5065. The computer system 5005 includes logic 5007, a timer5009, a security authenticator 5010, and the computer system 5020. Thecomputer subsystem 5020 includes logic 5027, a timer 5029, a securityauthenticator 5030, and the device 5040. The device 5040 includes logic5047 and a timer 5049.

[0302] In one embodiment, the device 5040 authenticates to the computersubsystem 5020, using the security authenticator 5030, and the logic5047 sets and monitors the timer 5049. In another embodiment, the device5040 authenticates to the computer system 5005, using the securityauthenticator 5010, and the logic 5047 sets and monitors the timer 5049.In still another embodiment, the device 5040 authenticates to thenetwork security authenticator 5070 over the network 5065, and the logic5047 sets and monitors the timer 5049.

[0303] In one embodiment, the computer subsystem 5020 authenticates tothe computer system, using the security authenticator 5010, and thelogic 5027 sets and monitors the timer 5029. In another embodiment, thecomputer subsystem 5020 authenticates to the network securityauthenticator 5070 over the network 5065, and the logic 5027 sets andmonitors the timer 5029. In another embodiment, the computer system 5005authenticates to the network security authenticator 5070 over thenetwork 5065, and the logic 5007 sets and monitors the timer 5009. Notethat not all of these embodiments are mutually exclusive.

[0304] In FIG. 39B, the system 5000B includes the portable computercoupled over a remote connection to the server 5004. The operations ofthe system 5000B may be given in FIG. 40B below. The portable computer5003 may include the logic 5007 and the timer 5009 shown in FIG. 39A.The server 5004 may include the network security authenticator 5070.

[0305] In FIG. 39C, the system 500C includes two computer systems 5003Aand 5003B coupled over the network 5065 to the server 5004 including thenetwork security authenticator 5070. The computer system 5003A includesa south bridge 330G that includes security hardware 370. The securityhardware 370, as shown, includes the logic 5047 and the timer 5049. Thecomputer system 5003B includes a crypto-processor 370, in place of thelogic 5047, coupled to the timer 5049. FIG. 39C illustrates that thesecurity hardware 370 or the crypto-processor 370 may control the timer5049 and the interactions with the network security authenticator 5070.

[0306] Turning now to FIGS. 40A and 40B, flowcharts of embodiments ofmethods 5100A and 5100B for securing a device, a computer subsystem, ora computer system, such as a portable computer, by limiting use tofinite periods of time between successive authorizations areillustrated. The methods 5100A and 5100B may advantageously discouragetheft of the device, the computer subsystem, or the computer system asits usefulness is limited outside of or without its authorizing computersubsystem, computer system, or network security connections. While themethod 5100A of FIG. 40A is a general method applicable to any ofdevice, computer subsystem, or computer system, the method 5100B of FIG.40B is an example of a specific method applicable to a portable computeradapted to communicate over a computer network.

[0307] In FIG. 40A, the method 5100A authenticates the device, thecomputer subsystem, or the computer system to the computer subsystem,the computer system, or the network security device, in 5105. Typically,the device will authenticate to the computer subsystem or the computersystem, while the computer subsystem will authenticate to the computersystem or the network security device, and the computer system willauthenticate to the network security device. Deviations from thistypical behavior may include a device authenticating to the networksecurity device, or the computer system authenticating to anothercomputer system.

[0308] The method 5100A sets a starting value on a timer in response tosuccessfully authenticating the device, the computer subsystem, or thecomputer system, in 5110. The timer is updated in a periodic fashion, in5115. The method 5100A checks in 5120 if the timer has expired. If thetimer has not expired, in 5120, then the method 5100A continues thenormal operation of the device, the computer subsystem, or the computersystem in 5125, and returns to 5115. If the timer has expired, in 5120,then the method 5100A attempts to re-authenticate the device, thecomputer subsystem, or the computer system to the appropriate master, in5130. If the re-authentication in 5130 is successful, in 5135, then themethod 5100A returns to 5110 and resets the starting value on the timer.If the re-authentication in 5130 is not successful, in 5135, then themethod 5100A shuts down the device, the computer subsystem, or thecomputer system until the device, the computer subsystem, or thecomputer system can be re-authenticated, such as during the bootprocess.

[0309] Note that the timer may be implemented as a count down timerrunning from a set value down to the expired value of zero or a countingtimer running from zero up to a predetermined value as the expiredvalue. The set value or the predetermined value may be a constant or maybe randomly selected. The set value or the predetermined value may alsovary according to a predetermined algorithm, if desired. Updating thetimer may occur with each increment of the system clock or a localclock, or only while the device, the computer subsystem or the computersystem is operating.

[0310] The method 5100B established a network connection to the networksecurity device (or system) in 5104. The method 5100B authenticates aportable computer to the network security system, in 5106. Theauthentication may occur during the boot process. The method 5100B setsa starting value on a timer in response to successfully authenticatingthe portable computer, in 5110. The timer is updated in a periodicfashion, in 5115. The method 5100B checks in 5120 if the timer hasexpired. If the timer has not expired, in 5120, then the method 5100Bcontinues the normal operation of the device, the computer subsystem, orthe computer system in 5126, and returns to 5115. If the timer hasexpired, in 5120, then the method 5100B attempts to establish networkconnection to the network security system, in 5129, and tore-authenticate the portable computer to the network security system, in5131. If the re-authentication, in 5131, is successful, in 5135, thenthe method 51OOB returns to 5110 and resets the starting value on thetimer. If the re-authentication, in 5131, is not successful, in 5135,then the method 5100B shuts down the portable computer and requiresauthentication during the boot process, in 5141, before normaloperations of the portable computer are allowed to resume.

[0311] Note that the device 5040 may represent any device 5040 in thecomputer system 5003 or 5005. The computer subsystem 5020 may representany computer subsystem 5020 in the computer system 5003 or 5005. Alsonote that code for the authentication and timer settings may be storedin the security hardware 370 or the secure storage shown elsewhere inthis disclosure, such as the BIOS ROM 365, the SMM ROM 520, the extendedBIOS 555, or the protected storage 605.

[0312] Turning now to FIG. 41, a flowchart of an embodiment of a method5200 for booting a computer system including initializing a timer toenforce periodic authentication and authorization is shown. The methodincludes the processor executing BIOS code instructions from SMM space,in 5220. The method 5200 may also access the security hardware, in 5230.The method 5200 may also optionally enter BIOS management mode, in 5232.The method 5200 authenticates the computer system through the securityhardware, in 5235. Authentication data are provided to the securityhardware, in 5240. If the authentication is not successful, in 5248,then the method 5200 shuts down the computer system until successfulauthentication is provided, in 5195. If the authentication issuccessful, in 5248, then the method 5200 sets a starting value on thetimer, in response to successfully authenticating, in 5280. The method5200 then continues the boot process, in 5290.

[0313] Turning now to FIGS. 42A and 42B, block diagrams of embodimentsof the system management registers 470A and 470B are illustrated. In theembodiment shown in FIG. 42A, the secure system management registers470A include one or more ACPI lock bits 5310A through 5310N to securevarious ACPI or related functions against unauthorized changes. The ACPIlock bits 5310, once set, prevent changes to the ACPI or relatedfunctions. A request to change one of the ACPI or related functionsrequires that a respective ACPI lock bit 5310N be released before therespective one of the ACPI or related functions is changed.

[0314] In the embodiment shown in FIG. 42B, the secure system managementregisters 470 include one or more ACPI range registers 5320 and/or oneor more ACPI rule registers 5330. Each of the one or more ACPI rangeregisters 5120 may be configured to store a value or values that defineallowable or preferred values for a specific ACPI or related function.Each of the one or more ACPI rule registers 5330 may be configured tostore part or all of a rule for determining if a change to one of theACPI or related functions should be allowed. Each of the one or moreACPI rule registers 5330 may also be configured to store code forevaluating the rules for determining if a change to one of the ACPI orrelated functions should be allowed or comparing a requested value orchange to the value or values that define allowable or preferred valuesfor a specific ACPI or related function stored in one of the ACPI rangeregisters 5320.

[0315] Examples of ACPI or related functions include changing a voltage,changing a frequency, turning on or off a cooling fan, and a remotereset of the computer system. It is contemplated that other ACPI orrelated functions may also be used. It is noted that the voltage may bea processor voltage, the frequency may be a processor operatingfrequency or a bus or interface frequency, the cooling fan may beoperable or intended to cool any component in the computer system,including devices or subsystems not described herein, such as a powersupply. It is noted that in various embodiments, the SMM access filters410, such as shown in FIG. 5A, may include address range traps fordirecting access requests to evaluate the contents of the ACPImanagement registers 470A or 470B.

[0316] For the purposes of this disclosure, references to ROM are to beconstrued as also applying to flash memory and other substantiallynon-volatile memory types. Note that while the methods of the presentinvention disclosed herein have been illustrated as flowcharts, variouselements of the flowcharts may be omitted or performed in differentorder in various embodiments. Note also that the methods of the presentinvention disclosed herein admit to variations in implementation.

[0317] Some aspects of the invention as disclosed above may beimplemented in hardware or software. Thus, some portions of the detaileddescriptions herein are consequently presented in terms of a hardwareimplemented process and some portions of the detailed descriptionsherein are consequently presented in terms of a software-implementedprocess involving symbolic representations of operations on data bitswithin a memory of a computing system or computing device. Thesedescriptions and representations are the means used by those in the artto convey most effectively the substance of their work to others skilledin the art using both hardware and software. The process and operationof both require physical manipulations of physical quantities. Insoftware, usually, though not necessarily, these quantities take theform of electrical, magnetic, or optical signals capable of beingstored, transferred, combined, compared, and otherwise manipulated. Ithas proven convenient at times, principally for reasons of common usage,to refer to these signals as bits, values, elements, symbols,characters, terms, numbers, or the like.

[0318] It should be borne in mind, however, that all of these andsimilar terms are to be associated with the appropriate physicalquantities and are merely convenient labels applied to these quantifies.Unless specifically stated or otherwise as may be apparent, throughoutthe present disclosure, these descriptions refer to the action andprocesses of an electronic device, that manipulates and transforms datarepresented as physical (electronic, magnetic, or optical) quantitieswithin some electronic device's storage into other data similarlyrepresented as physical quantities within the storage, or intransmission or display devices. Exemplary of the terms denoting such adescription are, without limitation, the terms “processing,”“computing,” “calculating,” “determining,” “displaying,” and the like.

[0319] Note also that the software-implemented aspects of the inventionare typically encoded on some form of program storage medium orimplemented over some type of transmission medium. The program storagemedium may be magnetic (e.g., a floppy disk or a hard drive) or optical(e.g., a compact disk read only memory, or “CD ROM”), and may be readonly or random access. Similarly, the transmission medium may be twistedwire pairs, coaxial cable, optical fiber, or some other suitabletransmission medium known to the art. The invention is not limited bythese aspects of any given implementation.

[0320] The particular embodiments disclosed above are illustrative only,as the invention may be modified and practiced in different butequivalent manners apparent to those skilled in the art having thebenefit of the teachings herein. Furthermore, no limitations areintended to the details of construction or design herein shown, otherthan as described in the claims below. It is therefore evident that theparticular embodiments disclosed above may be altered or modified andall such variations are considered within the scope and spirit of theinvention. Accordingly, the protection sought herein is as set forth inthe claims below.

What is claimed is:
 1. A computer system, comprising: a bus; a memorycoupled to the bus, wherein the memory includes a plurality of storagelocations, wherein the plurality of storage locations are divided into aplurality of memory units; and a device coupled to access the memoryover the bus, wherein the device includes one or more locks configuredto control access to one or more of the plurality of memory units. 2.The computer system of claim 1, wherein the bus is configured to operateaccording to an LPC bus protocol.
 3. The computer system of claim 1,wherein the memory is a ROM.
 4. The computer system of claim 3, whereinthe ROM is a BIOS ROM.
 5. The computer system of claim 1, wherein thedevice is a south bridge.
 6. The computer system of claim 1, wherein thelocks include a plurality of registers, wherein one or more entries inone or more of the plurality of registers indicate an access controlsetting for one or more of the memory units.
 7. The computer system ofclaim 6, wherein at least one of the plurality of registers isconfigured to store three locking bits for one of the memory blocks,wherein the three locking bits include a read lock bit, a write lockbit, and a lock-down bit, wherein the read lock bit and the write lockbit are permanent until reset when the lock-down bit is set.
 8. Thecomputer system of claim 6, wherein at least one of the plurality ofregisters is configured to store eight bits, wherein the eight bitsinclude three locking bits for one of the memory blocks and anotherthree locking bits for another one of the memory blocks, wherein thethree locking bits include a first read lock bit, a first write lockbit, and a first lock-down bit, wherein when the first lock-down bit isset, the first read lock bit and the first write lock bit are permanentuntil reset, and wherein the another three locking bits include a secondread lock bit, a second write lock bit, and a second lock-down bit,wherein when the second lock-down bit is set, the second read lock bitand the second write lock bit are permanent until reset.
 9. The computersystem of claim 8, wherein the at least one of the plurality ofregisters is configured with bit 0 as the first write lock bit, bit 1 asthe first lock-down bit, bit 2 as the first read lock bit, bit 4 as thesecond write lock bit, bit 5 as the second lock-down bit, and bit 6 asthe first read lock bit.
 10. A memory, comprising: a first plurality ofstorage locations configured with BIOS data; and a second plurality ofstorage locations, wherein the second plurality of storage locationsincludes: a first plurality of blocks readable only in SMM; and a secondplurality of blocks readable in SMM and at least one operating modeother than SMM.
 11. The memory of claim 10, wherein the at least onecounter comprises a monotonic counter.
 12. The memory of claim 10,wherein the second plurality of storage locations further includes: atleast one counter stored in a flat memory space.
 13. The memory of claim12, wherein the first plurality of blocks includes a block with a writeonce lock.
 14. The memory of claim 12, wherein the first plurality ofblocks includes a block with a never erase lock.
 15. The memory of claim12, wherein the first plurality of blocks includes a block that can bewritten in SMM and in at least one operating mode other than SMM. 16.The memory of claim 12, wherein the second plurality of blocks includesa block with a write once lock.
 17. The memory of claim 12, wherein thesecond plurality of blocks includes a block with a never erase lock. 18.The memory of claim 12, wherein the plurality of blocks includes a blockthat can be written in SMM and in at least one operating mode other thanSMM.
 19. The memory of claim 10, wherein the first plurality of storagelocations are addressed in an address range including from FFFF,FFFFh toFFC0,0000h.
 20. The memory of claim 10, wherein the second plurality ofstorage locations are addressed in an address range including fromFFBF,FFFFh to FFB0,0000h
 21. A method for operating a computer system,the method comprising: requesting a memory transaction for one or morememory addresses; determining a lock status for the one or more memoryaddresses; returning the lock status for the one or more memoryaddresses; determining if the lock status for the one or more memoryaddresses can be changed if the lock status indicates that the memorytransaction for the one or more memory addresses is not allowed;changing the lock status of the one or more memory addresses to allowthe memory transaction if the lock status of the one or more memoryaddresses can be changed.
 22. The method of claim 21, whereindetermining a lock status includes reading a first lock bit; and whereinreturning the lock status includes returning the value of the first lockbit.
 23. The method of claim 22, wherein determining if the lock statusfor the one or more memory address can be changed includes reading asecond lock bit.
 24. The method of claim 23, wherein changing the lockstatus of the one or more memory addresses to allow the memorytransaction includes changing the value of the first lock bit.
 25. Amethod of operating a computer system, the method comprising: issuing arequest from a first device for a memory transaction for a memorylocation; receiving the request for the memory transaction at a seconddevice that does not include the memory location or a copy of thecontents of the memory location; returning a response from the seconddevice to the first device issuing the request for the memorytransaction.
 26. The method of claim 25, wherein returning the responsefrom the second device includes ending the memory transaction withoutthe memory transaction reaching the memory location.
 27. The method ofclaim 25, further comprising: ending the request for the memorytransaction without the memory location responding to the request forthe memory transaction.
 28. The method of claim 25, wherein the seconddevice includes a bridge coupled between the first device and the memorylocation, wherein said returning the response from the second device tothe first device issuing the request for the memory transaction includesreturning the response from the bridge to the first device issuing therequest for the memory transaction.
 29. The method of claim 28, whereinsaid returning the response from the bridge to the first device issuingthe request for the memory transaction includes responding from anaccess filter within the bridge with a predetermined value upon receiptof the request for the memory transaction for the memory location, whenthe computer system is operating in a first operating mode.
 30. Themethod of claim 29, wherein said issuing the request from the firstdevice for the memory transaction for the memory location includesissuing the request from the first device for the memory transaction forthe memory location in a ROM.
 31. The method of claim 29, wherein saidissuing the request from the first device for the memory transaction forthe memory location includes issuing the request from the first devicefor the memory transaction for the memory location in a flash memory.32. The method of claim 25, wherein said issuing the request from thefirst device for the memory transaction for the memory location includesissuing the request from the first device for the memory transaction forthe memory location in a memory.
 33. The method of claim 25, wherein thefirst device includes security hardware, wherein said receiving therequest for the memory transaction at the second device that does notinclude the memory location or the copy of the contents of the memorylocation includes receiving the request for the memory transaction atthe security hardware within the first device; and wherein saidreturning the response from the second device to the first deviceissuing the request for the memory transaction includes returning theresponse from the security hardware to the first device issuing therequest for the memory transaction.
 34. The method of claim 25, furthercomprising: reading a first value from a memory location within thesecond device before returning the response, wherein the memory locationwithin the second device is different from the memory location for thememory transaction.
 35. A computer system, comprising: means forrequesting a memory transaction for one or more memory addresses; meansfor determining a lock status for the one or more memory addresses;means for returning the lock status for the one or more memoryaddresses; means for determining if the lock status for the one or morememory addresses can be changed if the lock status indicates that thememory transaction for the one or more memory addresses is not allowed;means for changing the lock status of the one or more memory addressesto allow the memory transaction if the lock status of the one or morememory addresses can be changed.
 36. The computer system of claim 35,wherein the means for determining the lock status comprises means forreading a first lock bit; and wherein the means for returning the lockstatus includes means for returning the value of the first lock bit. 37.The computer system of claim 36, wherein determining if the lock statusfor the one or more memory address can be changed includes reading asecond lock bit.
 38. The computer system of claim 37, wherein the meansfor changing the lock status of the one or more memory addresses toallow the memory transaction includes means for changing the value ofthe first lock bit.
 39. A computer system, comprising: means for issuinga request from a first device for a memory transaction for a memorylocation; means for receiving the request for the memory transaction ata second device that does not include the memory location or a copy ofthe contents of the memory location; and means for returning a responsefrom the second device to the first device issuing the request for thememory transaction.
 40. The computer system of claim 39, wherein themeans for returning the response from the second device includes meansfor ending the memory transaction without the memory transactionreaching the memory location.
 41. The computer system of claim 39,further comprising: means for ending the request for the memorytransaction without the memory location responding to the request forthe memory transaction.
 42. The computer system of claim 39, wherein thesecond device includes a bridge coupled between the first device and thememory location, wherein the means for returning the response from thesecond device to the first device issuing the request for the memorytransaction includes means for returning the response from the bridge tothe first device issuing the request for the memory transaction.
 43. Thecomputer system of claim 42, wherein the means for returning theresponse from the bridge to the first device issuing the request for thememory transaction includes means for responding from an access filterwithin the bridge with a predetermined value upon receipt of the requestfor the memory transaction for the memory location, when the computersystem is operating in a first operating mode.
 44. The computer systemof claim 43, wherein the means for issuing the request from the firstdevice for the memory transaction for the memory location includes meansfor issuing the request from the first device for the memory transactionfor the memory location in a ROM.
 45. The computer system of claim 43,wherein the means for issuing the request from the first device for thememory transaction for the memory location includes means for issuingthe request from the first device for the memory transaction for thememory location in a flash memory.
 46. The computer system of claim 39,wherein the means for issuing the request from the first device for thememory transaction for the memory location includes means for issuingthe request from the first device for the memory transaction for thememory location in a memory.
 47. The computer system of claim 39,wherein the first device includes security hardware, wherein the meansfor receiving the request for the memory transaction at the seconddevice that does not include the memory location or the copy of thecontents of the memory location includes means for receiving the requestfor the memory transaction at the security hardware within the firstdevice; and wherein the means for returning the response from the seconddevice to the first device issuing the request for the memorytransaction includes means for returning the response from the securityhardware to the first device issuing the request for the memorytransaction.
 48. The computer system of claim 39, further comprising:means for reading a first value from a memory location within the seconddevice before returning the response, wherein the memory location withinthe second device is different from the memory location for the memorytransaction.
 49. A computer readable program storage device encoded withinstructions that, when executed by a computer system, performs a methodof operating the computer system, the method comprising: requesting amemory transaction for one or more memory addresses; determining a lockstatus for the one or more memory addresses; returning the lock statusfor the one or more memory addresses; determining if the lock status forthe one or more memory addresses can be changed if the lock statusindicates that the memory transaction for the one or more memoryaddresses is not allowed; changing the lock status of the one or morememory addresses to allow the memory transaction if the lock status ofthe one or more memory addresses can be changed.
 50. The computerreadable program storage device of claim 49, wherein determining a lockstatus includes reading a first lock bit; and wherein returning the lockstatus includes returning the value of the first lock bit.
 51. Thecomputer readable program storage device of claim 50, whereindetermining if the lock status for the one or more memory address can bechanged includes reading a second lock bit.
 52. The computer readableprogram storage device of claim 51, wherein changing the lock status ofthe one or more memory addresses to allow the memory transactionincludes changing the value of the first lock bit.
 53. A computerreadable program storage device encoded with instructions that, whenexecuted by a computer system, performs a method of operating thecomputer system, the method comprising: issuing a request from a firstdevice for a memory transaction for a memory location; receiving therequest for the memory transaction at a second device that does notinclude the memory location or a copy of the contents of the memorylocation; returning a response from the second device to the firstdevice issuing the request for the memory transaction.
 54. The computerreadable program storage device of claim 53, wherein returning theresponse from the second device includes ending the memory transactionwithout the memory transaction reaching the memory location.
 55. Thecomputer readable program storage device of claim 53, the method furthercomprising: ending the request for the memory transaction without thememory location responding to the request for the memory transaction.56. The computer readable program storage device of claim 53, whereinthe second device includes a bridge coupled between the first device andthe memory location, wherein said returning the response from the seconddevice to the first device issuing the request for the memorytransaction includes returning the response from the bridge to the firstdevice issuing the request for the memory transaction.
 57. The computerreadable program storage device of claim 56, wherein said returning theresponse from the bridge to the first device issuing the request for thememory transaction includes responding from an access filter within thebridge with a predetermined value upon receipt of the request for thememory transaction for the memory location, when the computer system isoperating in a first operating mode.
 58. The computer readable programstorage device of claim 57, wherein said issuing the request from thefirst device for the memory transaction for the memory location includesissuing the request from the first device for the memory transaction forthe memory location in a ROM.
 59. The computer readable program storagedevice of claim 57, wherein said issuing the request from the firstdevice for the memory transaction for the memory location includesissuing the request from the first device for the memory transaction forthe memory location in a flash memory.
 60. The computer readable programstorage device of claim 53, wherein said issuing the request from thefirst device for the memory transaction for the memory location includesissuing the request from the first device for the memory transaction forthe memory location in a memory.
 61. The computer readable programstorage device of claim 53, wherein the first device includes securityhardware, wherein said receiving the request for the memory transactionat the second device that does not include the memory location or thecopy of the contents of the memory location includes receiving therequest for the memory transaction at the security hardware within thefirst device; and wherein said returning the response from the seconddevice to the first device issuing the request for the memorytransaction includes returning the response from the security hardwareto the first device issuing the request for the memory transaction. 62.The computer readable program storage device of claim 53, the methodfurther comprising: reading a first value from a memory location withinthe second device before returning the response, wherein the memorylocation within the second device is different from the memory locationfor the memory transaction.